Upgrade to Pro — share decks privately, control downloads, hide ads and more …

20140904_(cyber_security)_How_to_automate_webhacking.kr_with_Python_presentation

re4lfl0w
September 22, 2015
Programming
0
16

 20140904_(cyber_security)_How_to_automate_webhacking.kr_with_Python_presentation

20140904_(cyber_security)_How_to_automate_webhacking.kr_with_Python_presentation

re4lfl0w

September 22, 2015
Tweet

Other Decks in Programming

See All in Programming
Folding Cheat Sheet #1
philipschwarz
PRO
0
200
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
310
Introduction for Open Source Swift Workshop
giginet
PRO
0
1k
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
140
ログラスを支える設計標準について / loglass-design-standards
urmot
10
2.1k
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
190
Javaエンジニアのための Nodejs/Nuxt3入門
hidekatsu_izuno
0
250
どうしてこうなった命名集 ~🔥編~ / OOC 2024 LT
pictiny
5
3.9k
コードレビューで学ぶ!Kotlinオブジェクト指向デザインパターン
akkie76
2
170
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
240
両面どころかインフラもTSでできるよ ~ 全方位TypeScriptによるプロダクト開発 ~
myfinder
9
3.2k
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130

Featured

See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
13
1.5k
Reflections from 52 weeks, 52 projects
jeffersonlam
343
19k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Making Projects Easy
brettharned
106
5.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
Navigating Team Friction
lara
177
13k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.6k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
16
6.3k
Typedesign – Prime Four
hannesfritz
36
2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Building Your Own Lightsaber
phodgson
97
5.7k

Transcript

  1. How to automate webhacking.kr with python How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 1

  2. Who are you? • ઑӔ৔, թ੗ࢎۈ • Python જইೣ •

    Data Analysis, TDD, Penetration Testing, DevOps, Machine Learning, NLP ҙब • githubgithub • ౵ਵܻॆ ਍৔੗euripy euripy http://euripy.github.io github https://github.com/re4lfl0w/ How to automate webhacking.kr with Python © ઑӔ৔ 2015 2

  3. Casting • ܻ࠭1 1 Hardware Hacking Training Epilogue How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 3

  4. Why? How to automate webhacking.kr with Python © ઑӔ৔ 2015

    4

  5. ೵... How to automate webhacking.kr with Python © ઑӔ৔ 2015

    5

  6. 5000 ѐ... How to automate webhacking.kr with Python © ઑӔ৔

    2015 6

  7. ੌ߈੸ੋ ಽ੉ח ցޖ ݆׮!! જই? Ӓۧ׮ݶ ର߹ചܳ ೞӝ ਤ೧ࢲח?? How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 7

  8. Python How to automate webhacking.kr with Python © ઑӔ৔ 2015

    8

  9. Python How to automate webhacking.kr with Python © ઑӔ৔ 2015

    9

  10. Python How to automate webhacking.kr with Python © ઑӔ৔ 2015

    10

  11. Python!! How to automate webhacking.kr with Python © ઑӔ৔ 2015

    11

  12. જই... Webhacking.kr ࢎր ೞ۞ оࠁ੗ ੌױ ݾରܳ ೠ ߣ ࠊࠅө

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 12

  13. 1ੌର • ੉ۿ ߂ पण ળ࠺ • դ੉ب ೞ ޙઁ

    ಽ੉(੗߄झ௼݀౟, ౵ۄ޷ఠ ߸ઑ) How to automate webhacking.kr with Python © ઑӔ৔ 2015 13

  14. 2ੌର • դ੉ب ઺ ޙઁ ಽ੉(౵ۄ޷ఠ ߸ઑ, XSS ١) How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 14

  15. 3ੌର • դ੉ب ઺ ~ ࢚ ޙઁ ಽ੉(SQL Injection) How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 15

  16. ੗߄झ௼݀౟ ౵ۄ޷ఠ ߸ઑ XSS SQL Injection How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 16

  17. ଼ਵ۽ח ݆੉ ࠌחؘ ޙઁ ಽ੉ח ݆੉ ೧ࠁ૑ ঋ਺ જই! ب੹੉׮

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 17

  18. Key Point How to automate webhacking.kr with Python © ઑӔ৔

    2015 18

  19. Key Point • ղо ݈ೞҊ੗ ೞחѪ਷ ޙઁܳ ݃઱ଢ଼ਸ ٸ যڌѱ

    ೧ Ѿೞח૑? How to automate webhacking.kr with Python © ઑӔ৔ 2015 19

  20. Key Point • ղо ݈ೞҊ੗ ೞחѪ਷ ޙઁܳ ݃઱ଢ଼ਸ ٸ যڌѱ

    ೧ Ѿೞח૑? • ঐޗ૑ী ੓ח ࢎҊ੄ җ੿ਸ ࠁৈ઱חؘ ୡ੼ How to automate webhacking.kr with Python © ઑӔ৔ 2015 20

  21. Key Point • ղо ݈ೞҊ੗ ೞחѪ਷ ޙઁܳ ݃઱ଢ଼ਸ ٸ যڌѱ

    ೧ Ѿೞח૑? • ঐޗ૑ী ੓ח ࢎҊ੄ җ੿ਸ ࠁৈ઱חؘ ୡ੼ • Ѿҗܳ ٜ݅যࢲ ؀ױೞ૑? ۄחѱ ੉ ठۄ੉٘ীࢲ ਗ ೞחѱ ইש How to automate webhacking.kr with Python © ઑӔ৔ 2015 21

  22. Key Point • ղо ݈ೞҊ੗ ೞחѪ਷ ޙઁܳ ݃઱ଢ଼ਸ ٸ যڌѱ

    ೧ Ѿೞח૑? • ঐޗ૑ী ੓ח ࢎҊ੄ җ੿ਸ ࠁৈ઱חؘ ୡ੼ • Ѿҗܳ ٜ݅যࢲ ؀ױೞ૑? ۄחѱ ੉ ठۄ੉٘ীࢲ ਗ ೞחѱ ইש • ૒ҙ, ੄ࢎѾ੿, ࢚ട౵ঈ ١ਸ যڌѱ ೮ח૑ ࠁৈ઱ח ѱ Point How to automate webhacking.kr with Python © ઑӔ৔ 2015 22

  23. ੗زചী ೙ਃೠ ࣽࢲ 1. ۽Ӓੋ 2. ޙઁ ࠁӝ • Highlight

    ޙઁ • ੿۳ ޙઁ 3. ޙઁ ࣗझ ࠁӝ 4. ੋૐೞӝ How to automate webhacking.kr with Python © ઑӔ৔ 2015 23

  24. 1. ۽Ӓੋ How to automate webhacking.kr with Python © ઑӔ৔

    2015 24

  25. webhacking.kr਷ ۽Ӓੋ੉ غয੓૑ ঋਵݶ ۽Ӓੋ ಕ੉૑۽ ج۰ࠁն How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 25

  26. ੗زചܳ ೞӝ ਤ೧ࢲח ۽Ӓੋ ੿ࠁо ೙ਃೣ How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 26

  27. ۽Ӓੋ ੿ࠁܳ ਬ૑ೞӝ ਤೠ ౵੉ ॆ ۄ੉࠳۞ܻо ޤо ੓૑? How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 27

  28. Violent Python ী աৡ mechanizeܳ ࢎਊೞ੗2 2 (http://www.yes24.com/24/goods/8433461?scode=032&OzSrank=1) How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 28

  29. ۽Ӓੋ How to automate webhacking.kr with Python © ઑӔ৔ 2015

    29

  30. ౵ۄ޷ఠ ഛੋ How to automate webhacking.kr with Python © ઑӔ৔

    2015 30

  31. જই, ց۽ ੿೮׮! How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 31

  32. Packet capture login info with wireshark How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 32

  33. ইೞ! POST method۽ id, pwܳ ੋ੗۽ ֈӝחҳա. How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 33

  34. Login Mechanize Source import mechanize import urllib import urlparse from

    custom_source.login import id_, pw login_url = 'http://webhacking.kr/index.html?enter=1' data = urllib.urlencode({'id':id_, 'pw':pw}) browser = mechanize.Browser() resp = browser.open(login_url, data).read() How to automate webhacking.kr with Python © ઑӔ৔ 2015 34

  35. 2. ޙઁ ࠁӝ How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 35

  36. No. 15 • ݾ੸: ੗߄झ௼݀౟ ࣗझ ഛੋ How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 36

  37. Print source resp = browser.open(index_url).read() resp = browser.open(challenge_url).read() def join_url(url,

    base_url='http://webhacking.kr'): if 'view-source:' in url: url = url.replace('view-source:', '') if 'webhacking' in url and 'http' not in url: return '{0}{1}'.format('http://', url) return urlparse.urljoin(base_url, url) def print_source(url): resp = browser.open(join_url(url)).read() print(resp) return resp print_source('challenge/javascript/js2.html') How to automate webhacking.kr with Python © ઑӔ৔ 2015 37

  38. print_source output How to automate webhacking.kr with Python © ઑӔ৔

    2015 38

  39. Colorful ೞ૑ب ঋҊ, Syntax Highlightب উغয ੓Ҋ, Python ਬ੷ীѱח Ӓ੷

    Ҋդҗ ৉҃ How to automate webhacking.kr with Python © ઑӔ৔ 2015 39

  40. જই, Syntax Highlightо غח Ѫ ਸ ଺ইࠁ੗! How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 40

  41. Googling! How to automate webhacking.kr with Python © ઑӔ৔ 2015

    41

  42. Pygments? ޤ૑?1 This is the home of Pygments. It is

    a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code. Highlights are: • a wide range of over 300 languages and other text formats is supported • special attention is paid to details that increase highlighting quality How to automate webhacking.kr with Python © ઑӔ৔ 2015 42

  43. Pygments? ޤ૑?2 • support for new languages and formats are

    added easily; most languages use a simple regex-based lexing mechanism • a number of output formats is available, among them HTML, RTF, LaTeX and ANSI sequences • it is usable as a command-line tool and as a library ... and it highlights even Perl 6! How to automate webhacking.kr with Python © ઑӔ৔ 2015 43

  44. Pygments Demo • Pygments Demo How to automate webhacking.kr with

    Python © ઑӔ৔ 2015 44

  45. ӭՔೠؘ..? Ӕؘ ੉Ѧ যڌѱ ղ ೐۽ં౟ী ੸ਊೞ૑? How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 45

  46. ୊਺ীח ੉೧о উغ ঻׮.. How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 46

  47. ৈӝ੷ӝ ҳӖ݂ ೞݶࢲ ଺ই׮פ׮ য٣ࢲ ࠌח૑ח ӝর੉ ա૑ ঋ૑݅ ৘ઁܳ

    ଺ও׮. ब ࠌ׮! How to automate webhacking.kr with Python © ઑӔ৔ 2015 47

  48. ੸ਊೞӝ ਤೠ ࢎ੹ ѐ֛ ೙ਃ pygments.highlight(code, lexer, formatter, outfile=None) •

    code: ੸ਊೞҊ੗ ೞח code • lexer: যڃ languageܳ highlight ೡ Ѫੋ૑?(ex: Python, C) • formatter: যڃ झఋੌਸ ࢎਊ ೡ Ѫੋ૑?(ex: default, friendly) • highlight: ୭ઙ ੸ਊೡ code, lexer, formatter ҳ೧ࢲ ֍য ઱੗! How to automate webhacking.kr with Python © ઑӔ৔ 2015 48

  49. Pygments original source lexer = get_lexer_by_name('html') formatter = HtmlFormatter(style='default', linenos=False,

    full=True) data = highlight(response, lexer, formatter) HTML(data=data) • HTML: IPython Notebookীࢲ HTMLਸ ࡸ۰઱ח ৉ೡ How to automate webhacking.kr with Python © ઑӔ৔ 2015 49

  50. Pygments original output How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 50

  51. য়য়য়... highlightо ػ׮. How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 51

  52. Ӕؘ ই૒ ੿۳੉ উع׮. How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 52

  53. Ӕؘ ই૒ ੿۳੉ উع׮. ੉ઁ ࣗझী ੿۳೧઱ח beautifierܳ ࠢৈࠁ੗ How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 53

  54. beautifier റࠁҵ 1. original 2. jsbeautifier 3. beautifulsoup How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 54

  55. jsbeautifier & beautifulsoup How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 55

  56. beautifier റࠁҵ ޙઁ੼ 1. original: ࣗझ ੿۳ উؽ 2. jsbeautifier:

    indent ؽ, tag ࢎ੉ী space ٜযо ח ޙઁ੼. • ৡۄੋ Online JavaScript beautifierח ੉۠ ޙ ઁ੼੉ হחؘ ޤо ޙઁੌө? issue ৢܿ 3. beautifulsoup: script উ੄ ࣗझо indentо উؽ How to automate webhacking.kr with Python © ઑӔ৔ 2015 56

  57. Ӓ݅ ఋഈೞ੗... How to automate webhacking.kr with Python © ઑӔ৔

    2015 57

  58. Ӓ݅ ఋഈೞ੗... Ӓա݃ html਷ ઁ؀۽ ੿۳੉ غחѦ ఖೞ੗ 3ߣ beautifulsoup

    ਸ ࢶఖೞҊ ޙઁ ಽ੗!! How to automate webhacking.kr with Python © ઑӔ৔ 2015 58

  59. No.15 Sourceীࢲ password is off_script How to automate webhacking.kr with

    Python © ઑӔ৔ 2015 59

  60. No.15 Auth • ޙઁ੼੉: ੋૐ߉ӝ ਤ೧ ੌੌ੉ ੑ۱೧ঠ ؽ..୓௼ ನ

    ੋ౟ How to automate webhacking.kr with Python © ઑӔ৔ 2015 60

  61. No. 17 • ݾ੸: ੗߄झ௼݀౟ ߸ࣻ ч ഛੋ How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 61

  62. Print Source No. 17 How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 62

  63. فو... mechanizeীࢲ javascriptܳ प೯ೡ ࣻ ੓חо? How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 63

  64. ੌױ Python ਵ۽ ೧Ѿ೧ ࠁ੗! unlock = 100*10*10+100/10-10+10+50-9*8+7-6+5-4*3-2*1*10*100*10*10+100/10-10+10+... print(unlock/10) #

    python2 # 999780950 # python3 # 999780930.7 python2৬ python3ח division Ѿҗо ׮ܰ׮. python2ীࢲ python3৬ زੌೠ Ѿҗܳ ঳ӝ ਤ೧ ࢲ ୶оೞ੗ from __future__ import division How to automate webhacking.kr with Python © ઑӔ৔ 2015 64

  65. IPython੄ node.jsܳ प೯೧ࢲ ಽযࠁ੗ How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 65

  66. ೼೼... য૰ٚ Python ਵ۽ ೧Ѿೞӟ ೮૑݅ ׮਺ীח যڌѱ ೧Ѿ೧ঠ ೡ૑...

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 66

  67. No. 14 • ݾ੸: ߸ࣻ৬ ೣࣻ, onclick() ࢎਊߨ How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 67

  68. Print Source No.14 resp = print_source('webhacking.kr/challenge/javascript/js1.html') <html> ... <form name="pw">

    <input type="text" name="input_pwd" /> <input type="button" value="check" onclick="ck()" /> </form> <script> function ck() { var ul=document.URL; ul=ul.indexOf(".kr"); ul=ul*30; if(ul==pw.input_pwd.value) { alert("Password is "+ul*pw.input_pwd.value); } else { alert("Wrong"); } } </script> </body> </html> How to automate webhacking.kr with Python © ઑӔ৔ 2015 68

  69. Chrome Development Tool & IPython ޙઁ੼: DOMী ੄೧ ࢤࢿغח document.URLਸ

    ੌੌ੉ ࠂࠢ೧ঠ ೠ׮. ૊, DOMਸ ઁয೧ঠ ೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 69

  70. ణॅ... ٘٣য DOM੉ ա৳ҳա4 যڌѱ ೧Ѿ೧ঠ ೞ૑? 4 DOM(Document Object

    Model) How to automate webhacking.kr with Python © ઑӔ৔ 2015 70

  71. ੗... അ੤ө૑ য়ݶࢲ যڃ ޙઁ੼ਸ וՙ࣑աਃ? How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 71

  72. ੗... അ੤ө૑ য়ݶࢲ যڃ ޙઁ੼ਸ וՙ࣑աਃ? ੗زചೞӝ ਤೠ ҳр੉ ࠁ੉दաਃ?

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 72

  73. അ੤ө૑ աఋդ ޙઁ੼ 1. ࣗझ ઱ࣗܳ ೠٲೠٲ ࠳ۄ਋੷ীࢲ ࠂࠢਸ ೧ঠೠ׮.

    2. javascriptܳ प೯ೡ ࣻ ੓חо? • प೯ೡ ࣻ ੓׮Ҋ ೧ب ࠳ۄ਋੷ী ઙࣘ੸ੋ ࢚ടী ࢲח যڌѱ ೡ Ѫੋо?(ex: DOM) 3. ࠳ۄ਋੷ী ೠٲೠٲ ࠂࠢਸ ೧ࢲ ੋૐਸ ೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 73

  74. ڂߏ ైୋ • दр: 9ਘ 4ੌ Әਃੌ ੷֘7द~9द • ੢ࣗ:

    ъթషૉఋਕ 2க How to automate webhacking.kr with Python © ઑӔ৔ 2015 74

  75. How to automate webhacking.kr with Python © ઑӔ৔ 2015 75

  76. Browser Controller Selenium How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 76

  77. ք ޖट ٛࠁ੟੉ঠ?! How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 77

  78. ҳӖ੉ ࢶఖೠ Test Framework How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 78

  79. ୌ݃٣੄ ݈ࠁ׮ ೠ ߣ ࠁח ѱ ؊ ի׮ ޤೞח ֧ੋ૑ח

    ݢ੷ ࠁҊաࢲ Ҋ޹ How to automate webhacking.kr with Python © ઑӔ৔ 2015 79

  80. Demo Time How to automate webhacking.kr with Python © ઑӔ৔

    2015 80

  81. Selenium Simple Source from urllib import quote from urlparse import

    urljoin from time import sleep from selenium import webdriver driver = webdriver.Firefox() google_url = 'https://google.com/' sleep(5) driver.get(google_url) sleep(5) query = 'python' search_url = urljoin(google_url, 'search?q={}'.format(quote(query))) driver.get(search_url) sleep(10) driver.quit() How to automate webhacking.kr with Python © ઑӔ৔ 2015 81

  82. Why Selenium?1 • Frequent regression testing(੗઱ೞח ഥӈ పझ ౴) •

    Rapid feedback to developers(ѐߊ੗ীѱ ࡅܲ ೖ٘ߔ) • Virtually unlimited iterations of test case execution(о࢚ਵ۽ ઁೠহ੉ పझ౟ ா੉झ प೯) • Support for Agile and extreme development methodologies(ࡅܲ ѐߊ ߑߨۿਸ ૑ਗ) How to automate webhacking.kr with Python © ઑӔ৔ 2015 82

  83. Why Selenium?2 • Disciplined documentation of test cases(ӏѺ ച ػ

    పझ౟ ா੉झ੄ ޙࢲച) • Customized defect reporting(ѐѐੋ੄ ਃҳী ݏ ୸ ܻನ౴) • Finding defects missed by manual testing(ࣻز పझ౟۽ ࢤӝח Ѿೣਸ ଺ӝ) How to automate webhacking.kr with Python © ઑӔ৔ 2015 83

  84. ݈੉ ҭ੢൤ য۵׮... UI ߡӒܳ ࡅܲ दрղী ੟ӝ ਤ೧ࢲ పझ౟

    ೠ׮ח ѐ֛ਵ۽ ࠁݶ ؽ ࢎਊ੗ झషܻী ٮۄࢲ పझ౟ೞח Function Testingীب ࢎਊ ؽ դ 'Ӓ੷ ੗زച بҳ'۽ࢲ੄ दпਵ۽ ߄ۄࠆ How to automate webhacking.kr with Python © ઑӔ৔ 2015 84

  85. ޙઁ੼ਸ ׮द ೠ ߣ ࢓ಝࠁ੗. How to automate webhacking.kr with

    Python © ઑӔ৔ 2015 85

  86. അ੤ө૑ աఋդ ޙઁ੼ 1. ࣗझ ઱ࣗܳ ೠٲೠٲ ࠳ۄ਋੷ীࢲ ࠂࠢਸ ೧ঠೠ׮.

    2. javascriptܳ प೯ೡ ࣻ ੓חо? • प೯ೡ ࣻ ੓׮Ҋ ೧ب ࠳ۄ਋੷ী ઙࣘ੸ੋ ࢚ടী ࢲח যڌѱ ೡ Ѫੋо?(ex: DOM) 3. ࠳ۄ਋੷ী ೠٲೠٲ ࠂࠢਸ ೧ࢲ ੋૐਸ ೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 86

  87. 1. ࣗझ ઱ࣗ ࠂࠢ ޙઁ How to automate webhacking.kr with

    Python © ઑӔ৔ 2015 87

  88. ࠳ۄ਋੷ח যରೖ sourceܳ ߉ই৬ࢲ How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 88

  89. ࠳ۄ਋੷ח যରೖ sourceܳ ߉ই৬ࢲ rendering ೧઱ח Ѫ߆ী হਗ਼ই? How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 89

  90. ࠳ۄ਋੷ח যରೖ sourceܳ ߉ই৬ࢲ rendering ೧઱ח Ѫ߆ী হਗ਼ই? Ӓۧ׮ݶ ղо

    sourceীࢲ ઱ࣗܳ ঳যয়ݶ غ૑ঋա?! How to automate webhacking.kr with Python © ઑӔ৔ 2015 90

  91. જই ҊҊআ! How to automate webhacking.kr with Python © ઑӔ৔

    2015 91

  92. Challenge Page How to automate webhacking.kr with Python © ઑӔ৔

    2015 92

  93. ࠁ੉חо? How to automate webhacking.kr with Python © ઑӔ৔ 2015

    93

  94. ࠁ੉חо? onclick event۽ location.href ೣࣻо ഐ୹ػ׮. How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 94

  95. onclick event Excute a JavaScript when a button is clicked

    <script> function myFunction() { document.getElementById("demo").innerHTML = "Hello World"; } </script> <button onclick="myFunction()">Click me</button> Hello Worldо ୹۱ػ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 95

  96. location.href Return the entire URL(of the current page) location.href='http://google.com' ੉۞ݶ

    ಕ੉૑о ҳӖ۽ ੉زೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 96

  97. ೧ࢳೞ੗ݶ onclick="location.href='challenge/web/web-01/'" click eventо ߊࢤ೮ਸ ٸ http://webhacking.kr/challenge/web/web-01/ ಕ੉૑۽ ੉زೠ׮. You

    got it? How to automate webhacking.kr with Python © ઑӔ৔ 2015 97

  98. Ӓۧ׮ݶ... ੷ onclick੄ ࣘࢿਸ ୶୹ೠ റী location.href੄ ࣘࢿਸ ୶୹ೞݶ challenge/web/web-01/

    ݅ ঳য૓׮ח ݈ॹ? How to automate webhacking.kr with Python © ઑӔ৔ 2015 98

  99. ࢚؀઱ࣗܳ ୶୹ೞӝ ਤ೧ࢲח DOMਸ ઁয೧ঠ غחؘ DOMਸ যڌѱ ઁয೧ঠ غחѢջ?

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 99

  100. XPath XPath(XML Path Language)ח W3C੄ ಴ળਵ۽ ഛ੢ ࢤࢿ ঱য ޙࢲ੄

    ҳઑܳ ా೧ ҃۽ ਤী ૑੿ೠ ҳޙਸ ࢎ ਊೞৈ ೦ݾਸ ߓ஖ೞҊ ୊ܻೞח ߑߨਸ ӝࣿೞח ঱য੉ ׮. XML ಴അࠁ׮ ؊ औҊ ডয۽ غয ੓ਵݴ, XSL ߸ജ (XSLT)җ XML ૑द੗ ঱য(XPointer)ী ॳ੉ח ঱য੉ ׮. XPathח XML ޙࢲ੄ ֢٘ܳ ੿੄ೞӝ ਤೞৈ ҃۽ध ਸ ࢎਊೞݴ, ࣻ೟ ೣࣻ৬ ӝఋ ഛ੢ оמೠ ಴അٜ੉ ੓ ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 100

  101. ৉द ঱ઁա ٯٯೠ ੿੄ח য۰ਕ.. ੉೧ೞӝ औѱ exampleਸ ࠁ੗ How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 101

  102. XPathܳ ഝਊೠ title ୶୹ How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 102

  103. title਷ ੜ ୶୹੉ ع׮. //title਷ title tagܳ //title/text()ח title੄ text݅(਋ܻо

    ਗೞ؍ Ѫ!) How to automate webhacking.kr with Python © ઑӔ৔ 2015 103

  104. ݃਋झ۽ ନ਷ XPath How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 104

  105. ݃਋झ۽ ନ਷ XPathܳ ࠁפ ҭ੢൤ য۵ѱ աఋա ੓׮. html/body/table/tbody/tr[2]/td/center/center/form/table/tbody/tr[1]/td[1]/input How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 105

  106. ݃਋झ۽ ନ਷ XPathܳ ࠁפ ҭ੢൤ য۵ѱ աఋա ੓׮. html/body/table/tbody/tr[2]/td/center/center/form/table/tbody/tr[1]/td[1]/input ੉Ѣ

    о૑Ҋ ޥо ୶୹ೞӝۆ ҭ੢൤ য۰਎ Ѫ э׮. ցޖ specific ೧. ௾ ౣ݅ ౵ঈೞҊ ߸ഋ೧ࠁ੗! How to automate webhacking.kr with Python © ઑӔ৔ 2015 106

  107. Ӓۧ׮ݶ ੉ઁ ࠄѺ੸ਵ۽ onclick੄ ࣘࢿਸ ୶୹೧ ࠁ੗ How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 107

  108. challenge list ୶୹ How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 108

  109. XPath ഝਊ೧ࢲ onclick ࣘࢿ ୶୹ ੄ب஖ঋѱ IDо ࢶఖ੉ ػ׮. ੉۠Ѫਸ

    ੜ ୊ܻ೧ ઱੗ How to automate webhacking.kr with Python © ઑӔ৔ 2015 109

  110. ޙઁٜ੄ input tag݅ ࢶఖؽ webhacking.kr੄ ୨ ޙઁࣻח 66ޙઁ׮. ೞ૑݅ IDч੉

    ઁੌ ୊਺ী ನೣغ ӝ ٸޙী 67ѐ੄ ֢٘о ୶୹ػ Ѫਸ ഛੋ оמ How to automate webhacking.kr with Python © ઑӔ৔ 2015 110

  111. ޙઁ੄ tagٜਸ ୶୹೮׮..!! How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 111

  112. ׮ٜ ঌҊ ੓ѷ૑݅ Ӓېب ഛੋೞח ରਗীࢲ Tag৬ Attribute৬੄ ର੉੼ਸ ঌҊо੗

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 112

  113. Tag & Attribute ର੉੼ Tag: form, table, tbody, tr, td

    Attribute: type, onclick, style, background, color, onmouseout, onmouseover How to automate webhacking.kr with Python © ઑӔ৔ 2015 113

  114. @ܳ ࠢৈ઱ݶ Attribute ੽Ӕ о מ //form/table/tbody/tr/td/input/@onclick प਷ աب Attribute

    ୶ ୹ೞח Ѫਸ ߊ಴ ળ࠺ೞݶ ࢲ ӵ׳ও׮. ৉द ߊ಴ೞחѤ ߊ಴੗ী ѱ ؊ ب਑੉ غח ੌ How to automate webhacking.kr with Python © ઑӔ৔ 2015 114

  115. Ӓۢ ੉ઁ sourceױীࢲ Parsing੉ оמೞ޲۽ ࠂࠢਸ ೞ૑ ঋইب ػ׮. How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 115

  116. അ੤ө૑ աఋդ ޙઁ੼ 1. ࣗझ ઱ࣗܳ ೠٲೠٲ ࠳ۄ਋੷ীࢲ ࠂࠢਸ ೧ঠೠ׮.

    2. javascriptܳ प೯ೡ ࣻ ੓חо? • प೯ೡ ࣻ ੓׮Ҋ ೧ب ࠳ۄ਋੷ী ઙࣘ੸ੋ ࢚ടী ࢲח যڌѱ ೡ Ѫੋо?(ex: DOM) 3. ࠳ۄ਋੷ী ೠٲೠٲ ࠂࠢਸ ೧ࢲ ੋૐਸ ೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 116

  117. Ӓۢ ੉ઁ যו ੿ب ળ࠺о ՘դѪ э׮. Selenium ਵ۽ ۽Ӓੋࠗఠ

    ׮द! How to automate webhacking.kr with Python © ઑӔ৔ 2015 117

  118. ۽Ӓੋ ҳഅ਷ mechanize۽ ೧ࠌחؘ Selenium਷ ׮ܲ ߑध੉׮. How to automate

    webhacking.kr with Python © ઑӔ৔ 2015 118

  119. Selenium਷ ਋ܻо ੌ߈੸ਵ۽ Browserܳ ࢎਊೞח ߑधҗ ڙэ੉ ࢎਊೞݶ ػ׮. How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 119

  120. Login Logic 1. Connect Login Webpage How to automate webhacking.kr

    with Python © ઑӔ৔ 2015 120

  121. Login Logic 1. Connect Login Webpage 2. Input ID How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 121

  122. Login Logic 1. Connect Login Webpage 2. Input ID 3.

    Input PW How to automate webhacking.kr with Python © ઑӔ৔ 2015 122

  123. Login Logic 1. Connect Login Webpage 2. Input ID 3.

    Input PW 4. Click Login button How to automate webhacking.kr with Python © ઑӔ৔ 2015 123

  124. webhacking.kr Login Analysis <form method="post" action="index.html?enter=1" name="lf" onkeypress="if(event.keyCode==13)go();"> </form> function

    go() { if(lf.id.value=="") { lf.id.focus(); return; } if(lf.pw.value=="") { lf.pw.focus(); return; } lf.submit(); } How to automate webhacking.kr with Python © ઑӔ৔ 2015 124

  125. webhacking.kr Login Analysis <form method="post" action="index.html?enter=1" name="lf" onkeypress="if(event.keyCode==13)go();"> </form> function

    go() { if(lf.id.value=="") { lf.id.focus(); return; } if(lf.pw.value=="") { lf.pw.focus(); return; } lf.submit(); } ۽Ӓੋ ೞ۰ݶ javascriptܳ ॄঠغ֎?! How to automate webhacking.kr with Python © ઑӔ৔ 2015 125

  126. ೙ਃೠ ೣٜࣻ ݢ੷ Import # built-in import urllib import urlparse

    import re import time # third-party import jsbeautifier import mechanize from selenium import webdriver from BeautifulSoup import BeautifulSoup as bs from pygments import highlight from pygments.lexers import get_lexer_by_name from pygments.formatters.html import HtmlFormatter from IPython.display import HTML # custom from custom_source.login import id_, pw login_url = 'http://webhacking.kr/index.html?enter=1' index_url = 'http://webhacking.kr/index.php' challenge_url = 'http://webhacking.kr/index.php?mode=challenge' auth_url = 'http://webhacking.kr/index.php?mode=auth' How to automate webhacking.kr with Python © ઑӔ৔ 2015 126

  127. Login ҳഅ Source from urllib import quote from urlparse import

    urljoin from time import sleep from selenium import webdriver WAIT = 1 driver = webdriver.Firefox() sleep(WAIT) driver.get(login_url) sleep(WAIT) sleep(WAIT) driver.find_element_by_name('id').send_keys(id_) driver.find_element_by_name('pw').send_keys(pw) driver.execute_script('go();') # javascript प೯೧ࢲ ۽Ӓੋ! sleep(10) driver.quit() How to automate webhacking.kr with Python © ઑӔ৔ 2015 127

  128. Demo Time How to automate webhacking.kr with Python © ઑӔ৔

    2015 128

  129. Login ҳഅೞݶࢲ javascript ޙઁө૑ ೧Ѿ! How to automate webhacking.kr with

    Python © ઑӔ৔ 2015 129

  130. അ੤ө૑ աఋդ ޙઁ੼ 1. ࣗझ ઱ࣗܳ ೠٲೠٲ ࠳ۄ਋੷ীࢲ ࠂࠢਸ ೧ঠೠ׮.

    2. javascriptܳ प೯ೡ ࣻ ੓חо? • प೯ೡ ࣻ ੓׮Ҋ ೧ب ࠳ۄ਋੷ী ઙࣘ੸ੋ ࢚ടী ࢲח যڌѱ ೡ Ѫੋо?(ex: DOM) 3. ࠳ۄ਋੷ী ೠٲೠٲ ࠂࠢਸ ೧ࢲ ੋૐਸ ೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 130

  131. ੉ઁ ੋૐ݅ ೧Ѿೞݶ ػ׮! How to automate webhacking.kr with Python

    © ઑӔ৔ 2015 131

  132. Auth Analysis <form method="post" action="?mode=auth_go"> <table> <tbody> <tr> <td>Flag</td> <td>

    <input type="text" name="answer" size="100"> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Submit"> <br><br> Do not brute-force </td> </tr> </tbody> </table> </form> How to automate webhacking.kr with Python © ઑӔ৔ 2015 132

  133. Auth ҳഅ Source sleep(WAIT) driver.get(auth_url) sleep(WAIT) sleep(WAIT) answer = 'off_script'

    driver.find_element_by_name('answer').send_keys(answer) # nameਵ۽ب ࢶఖ оמ # css selector۽ب ࢶఖ оמ driver.find_elements_by_css_selector('form table tbody tr td input')[-1].click() sleep(WAIT) sleep(10) driver.switch_to.alert.accept() # ઺ਃ! alertହ হগ઻ঠ ೠ׮! sleep(10) How to automate webhacking.kr with Python © ઑӔ৔ 2015 133

  134. Demo Time How to automate webhacking.kr with Python © ઑӔ৔

    2015 134

  135. അ੤ө૑ աఋդ ޙઁ੼ 1. ࣗझ ઱ࣗܳ ೠٲೠٲ ࠳ۄ਋੷ীࢲ ࠂࠢਸ ೧ঠೠ׮.

    2. javascriptܳ प೯ೡ ࣻ ੓חо? • प೯ೡ ࣻ ੓׮Ҋ ೧ب ࠳ۄ਋੷ী ઙࣘ੸ੋ ࢚ടী ࢲח যڌѱ ೡ Ѫੋо?(ex: DOM) 3. ࠳ۄ਋੷ী ೠٲೠٲ ࠂࠢਸ ೧ࢲ ੋૐਸ ೠ׮. How to automate webhacking.kr with Python © ઑӔ৔ 2015 135

  136. റ... ٘٣য ޙઁ੼ਸ ݽف ೧Ѿ೮׮. How to automate webhacking.kr with

    Python © ઑӔ৔ 2015 136

  137. ੌױ ޙઁ੼਷ ೧Ѿع૑݅ How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 137

  138. ੌױ ޙઁ੼਷ ೧Ѿع૑݅ ੤ࢎਊೞӝ ಞೠ ௿ېझ۽ ߸ജ೧ঠ ೠ׮. How to

    automate webhacking.kr with Python © ઑӔ৔ 2015 138

  139. ੌױ ޙઁ੼਷ ೧Ѿع૑݅ ੤ࢎਊೞӝ ಞೠ ௿ېझ۽ ߸ജ೧ঠ ೠ׮. Refactoring੄ दр

    How to automate webhacking.kr with Python © ઑӔ৔ 2015 139

  140. Refactoring 1. login: login ҳഅ. ࢎਊ੗ id, pw ੑ۱ How

    to automate webhacking.kr with Python © ઑӔ৔ 2015 140

  141. Refactoring 1. login: login ҳഅ. ࢎਊ੗ id, pw ੑ۱ 2.

    view_challenge: challenge.html ਸ ౵य೧ࢲ ޙ ઁٜ ઱ࣗ ୶୹ How to automate webhacking.kr with Python © ઑӔ৔ 2015 141

  142. Refactoring 1. login: login ҳഅ. ࢎਊ੗ id, pw ੑ۱ 2.

    view_challenge: challenge.html ਸ ౵य೧ࢲ ޙ ઁٜ ઱ࣗ ୶୹ 3. print_problem_source: ࣗझ ୹۱ How to automate webhacking.kr with Python © ઑӔ৔ 2015 142

  143. Refactoring 1. login: login ҳഅ. ࢎਊ੗ id, pw ੑ۱ 2.

    view_challenge: challenge.html ਸ ౵य೧ࢲ ޙ ઁٜ ઱ࣗ ୶୹ 3. print_problem_source: ࣗझ ୹۱ 4. print_index_phps: ޙઁ ಕ੉૑ উ੄ ࣗझ ୹۱ How to automate webhacking.kr with Python © ઑӔ৔ 2015 143

  144. Refactoring 1. login: login ҳഅ. ࢎਊ੗ id, pw ੑ۱ 2.

    view_challenge: challenge.html ਸ ౵य೧ࢲ ޙ ઁٜ ઱ࣗ ୶୹ 3. print_problem_source: ࣗझ ୹۱ 4. print_index_phps: ޙઁ ಕ੉૑ উ੄ ࣗझ ୹۱ 5. auth: ੋૐ ಕ੉૑ How to automate webhacking.kr with Python © ઑӔ৔ 2015 144

  145. Refactoring 1. login: login ҳഅ. ࢎਊ੗ id, pw ੑ۱ 2.

    view_challenge: challenge.html ਸ ౵य೧ࢲ ޙ ઁٜ ઱ࣗ ୶୹ 3. print_problem_source: ࣗझ ୹۱ 4. print_index_phps: ޙઁ ಕ੉૑ উ੄ ࣗझ ୹۱ 5. auth: ੋૐ ಕ੉૑ 6. accept_alert: ੋૐ ಕ੉૑ীࢲ ഛੋ ߡౡ ௿ܼೞӝ How to automate webhacking.kr with Python © ઑӔ৔ 2015 145

  146. Class & Methods class webHacking(object): def __init__(self): def __del__(self): def

    login(self): def view_challenge(self): def print_problem_source(self, num): def print_index_phps(self, src='index.phps'): def auth(self, answer): def accept_alert(): How to automate webhacking.kr with Python © ઑӔ৔ 2015 146

  147. Mechanize ಺ एয! How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 147

  148. Ӕؘ וԕա..? How to automate webhacking.kr with Python © ઑӔ৔

    2015 148

  149. ୊਺ࠗఠ ੷ۧѱ ૞੐࢜੓ח ҳઑо աৡѤ ইפঠ. ࢗ૕ ೞ׮ࠁפө ੷ۧѱ ೞݶ

    ಞೡѪ эইࢲ աৡ ҳઑ.. ૊, ࢤп੄ ࢑ޛ How to automate webhacking.kr with Python © ઑӔ৔ 2015 149

  150. Demo Time How to automate webhacking.kr with Python © ઑӔ৔

    2015 150

  151. ղо ҕࠗೠ Resources 1. Selenium with Python 2. Selenium Testing

    Tools Cookbook How to automate webhacking.kr with Python © ઑӔ৔ 2015 151

  152. ನ௄ހ ࢎ૓ ୹୊ ನ௄ހझఠ ߬झ౟ਤद दો2 23ച ࢎషद ؀ ௏పஎ!

    ࠺ ޻߽ӝ ࢎਖ਼٘ۄ!! ܻ࠭ ನ௄ހझఠ ߬झ౟ਤद दો2 24ച Ѿ଱ ੒गܻӒ! How to automate webhacking.kr with Python © ઑӔ৔ 2015 152

  153. ࢎ੹ ૑ध • ੉ ૑ध੉ হਵݶ ষ୒դ ࢗ૕ ز߈ೣ! •

    virtualenv • pip How to automate webhacking.kr with Python © ઑӔ৔ 2015 153

  154. ա઺ী ୶оೡ ղਊٜ • print_problem_source, print_index_phps ࢸݺ (ppt ݅٘ח दр੉

    Ԩ ݆੉ ٚ׮. 40दр ੿ب ॵ٠.) • Proxy ੸ਊ೧ࢲ ౵ۄ޷ఠ ߸ઑ(੉ѱ ઁੌ х੉ উ ੟ ൩) • য૸ ࣻ হ੉ Fiddlerա Burp Suiteܳ ॄঠೡ٠ • XSS • SQL Injection • sqlmap How to automate webhacking.kr with Python © ઑӔ৔ 2015 154

  155. хࢎ೤פ׮ How to automate webhacking.kr with Python © ઑӔ৔ 2015

    155

  156. Q&A How to automate webhacking.kr with Python © ઑӔ৔ 2015

    156

  157. ݃૑݄ ೖ஠உѦ ૢߑ How to automate webhacking.kr with Python ©

    ઑӔ৔ 2015 157