«   2018/08   »
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
Tags
more
Archives
Today
0
Total
246
관리 메뉴

Maru's

webhacking.kr 5번 본문

Webhacking.kr

webhacking.kr 5번

Maru.Maru 2017.07.16 20:57

개인적으로 더럽게 노가다문제였다. (하는 방법을 모르니.. )

Login 과 Join 있다. Join을 누르면 밑처럼 Access_Denied 가 뜨고

윗처럼 login을 누르면 /mem/login.php로 넘어간다 여기서 이상한점은 mem이라는 곳으로 넘어가는 것 이여서 디렉토리 리스팅 취약점이 있을까 확인을 해보았다.

Index of /hint라는 곳에 접근이 가능했고 이곳에는 join.php 파일이 있어 들어가 보았다. 들어가보니 아무것도 없어 소스를 보니

이 문제가 왜 300점 인지 알거같은 난독화가 되어 있었다. 이 난독화 된 코드를 정리해보면

<html>
<title>Challenge 5</title>
</head>

<body bgcolor=black>
    <center>
        <script>
            l = 'a';
            ll = 'b';
            lll = 'c';
            llll = 'd';
            lllll = 'e';
            llllll = 'f';
            lllllll = 'g';
            llllllll = 'h';
            lllllllll = 'i';
            llllllllll = 'j';
            lllllllllll = 'k';
            llllllllllll = 'l';
            lllllllllllll = 'm';
            llllllllllllll = 'n';
            lllllllllllllll = 'o';
            llllllllllllllll = 'p';
            lllllllllllllllll = 'q';
            llllllllllllllllll = 'r';
            lllllllllllllllllll = 's';
            llllllllllllllllllll = 't';
            lllllllllllllllllllll = 'u';
            llllllllllllllllllllll = 'v';
            lllllllllllllllllllllll = 'w';
            llllllllllllllllllllllll = 'x';
            lllllllllllllllllllllllll = 'y';
            llllllllllllllllllllllllll = 'z';
            I = '1';
            II = '2';
            III = '3';
            IIII = '4';
            IIIII = '5';
            IIIIII = '6';
            IIIIIII = '7';
            IIIIIIII = '8';
            IIIIIIIII = '9';
            IIIIIIIIII = '0';
            li = '.';
            ii = '<';
            iii = '>';
            lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
            lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
            if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
                bye;
            }
            if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
                alert('access_denied');
                history.go(-1);
            } else {
                document.write('<font size=2 color=white>Join</font><p>');
                document.write('.<p>.<p>.<p>.<p>.<p>');
                document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll +
                    '>');
                document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=5></td></tr>');
                document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + ' maxlength=10></td></tr>');
                document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
            }
        </script>
</body>

</html>

 

이렇게 였고 이걸 조금더 풀어보면

if (eval(document.cookie).indexOf(oldzombie) == -1) {
                bye;
            }
            if (eval(document.URL).indexOf(mode+'='+1) == -1) {
                alert('access_denied');
                history.go(-1);
            } else {
                document.write('<font size=2 color=white>Join</font><p>');
                document.write('.<p>.<p>.<p>.<p>.<p>');
                document.write('<form method=post action=' + join.php+');
                document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' +id+ ' maxlength=5></td></tr>');
                document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' +pw+ ' maxlength=10></td></tr>');
                document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
            }

이였고 이코드를 해석해 보면 oldzombie라는 쿠키에 쿠키 값이 들어가 있어야 하고 mode 라는 변수에 1이 들어가 있어야 된다고 한다.

 

원하는대로 해주었더니 id와 pass를 적는 란이 나왓고 제출 란이 나왔다. 여기서 아이디를 가입해서 넣는 것으로 보였다.

여기서잠깐 login.php를 보면 id에 다른 값을 주면 you'r not admin 이 뜨고 id 에 admin을 주면 비밀 번호가 틀렸다고 나온다. 그러니 join에 admin으로 아이디를 만들면 될 것 같았다.

id 값은 총 5글자 밖에 적을 수 없어서 admin 과 1234로 제출을 해보았다.

admin은 이미 존재한다고 나온다. 그렇다면 글자 수를 늘려서 admin보다 더 길게 적어 admin만 인식하도록 해보았다. admin(이후 스페이스바한번) 비밀번호 1234

sign up 이 출력되고

login.php에 입력해보면 문제가 해결된다. 보아하니 데이터베이스에 저장할 때 총 다섯글자 까지만 저장을하고 나머지는 잘라버리는 것 같았다.

 

'Webhacking.kr' 카테고리의 다른 글

webhacking.kr 23번  (0) 2017.07.16
webhacking.kr 5번  (0) 2017.07.16
webhacking.kr 1번  (0) 2017.07.16
webhacking.kr 12번  (0) 2017.07.16
Webhacking.kr 42번  (0) 2017.07.16
Webhacking.kr 33번  (0) 2017.07.16
0 Comments
댓글쓰기 폼