Login과 Join 버튼이 있는데, Join을 누르면 Access_Denied alert를 띄우고 Login을 누르면 /mem/login.php에서 아이디와 패스워드를 넘길 수 있다. 간단한 테스트로 id=admin, pw=t'OR'1'='1 를 쓰면 로그인 실패라고 하니 Join에 문제 해결의 실마리가 있을 것이다.
/mem을 보면 join.php가 있으므로 여기가 Join의 페이지일 것이다. 들어가면 bye 로 죽이고 아무것도 보이는 게 없다. 하지만 페이지 소스를 확인해 보면 특이한 코드를 발견할 수 있다.
|
1
2
3
4
5
6
7
8
9
|
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>
|
cs |
문자열 치환 방식으로 난독화를 해 놓았는데 Ctrl+H를 써서 원래대로 복구하면 된다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
a1b1b1b1b1b1b1b1b1b1a=oldzombie;
a08a=document.cookie;
if(eval(a08a).indexOf(a1b1b1b1b1b1b1b1b1b1a)==-1) {alert('bye');throw "stop";}
if(eval(document.URL).indexOf(mode=1)==-1){alert('access_denied');throw "stop";}
else{
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=join.php>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=pw></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>
|
cs |
oldzombie=asdf 등으로 쿠키를 세팅해 주고 GET으로 mode=1을 넘기면 가입을 위한 테이블 폼이 보인다.
임의의 이름과 비밀번호로 가입한 뒤 로그인하면 admin으로 로그인해야 한다고 말해준다.
처음에는 Join의 pw에서 SQL Injection으로 중복 검사를 우회하는 것이라고 생각했으나 아니었고, 여러 트릭을 시도해본 결과 가입할 때 admin 앞에 공백을 한 글자 붙여준 문자열을 id로 주니 통과되었다. 로그인할 때도 앞에 공백을 붙여줘야 했었으니, 비교할 때는 입력값 자체를 쓰고 로그인 루틴에서 공백이 없어지면서 생기는 버그가 존재하는 것 같다.
Last Update: 20191107
'Wargame > webhacking.kr' 카테고리의 다른 글
| webhacking.kr / Old 6 (0) | 2019.11.26 |
|---|---|
| webhacking.kr / Old 4 (0) | 2019.11.07 |
| webhacking.kr / Old 3 (0) | 2019.11.07 |
| webhacking.kr / Old 2 (0) | 2019.10.29 |
| webhacking.kr / Old 1 (0) | 2019.10.29 |
