2020. 1. 13. 21:19ㆍ보안/webhacking.kr
login과 join이 있는데 join은 막아뒀다.
login 화면으로 가보면 id/pw입력창과 버튼 외엔 아무것도 없다. 소스코드에서도 별다른 점을 찾아볼 수 없기 때문에 join 페이지를 뚫어서 계정을 만들어 로그인을 해야하는 것으로 보인다.(SQL Injection을 시도해도 특별한 반응 없음)
join버튼을 눌러서는 갈 수 없어서 url을 수정하면 아래와 같이 나온다.
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';
ll='b';
lll='c';
llll='d';
lllll='e';
llllll='f';
lllllll='g';
llllllll='h';
lllllllll='i';
llllllllll='j';
lllllllllll='k';
llllllllllll='l';
lllllllllllll='m';
llllllllllllll='n';
lllllllllllllll='o';
llllllllllllllll='p';
lllllllllllllllll='q';
llllllllllllllllll='r';
lllllllllllllllllll='s';
llllllllllllllllllll='t';
lllllllllllllllllllll='u';
llllllllllllllllllllll='v';
lllllllllllllllllllllll='w';
llllllllllllllllllllllll='x';
lllllllllllllllllllllllll='y';
llllllllllllllllllllllllll='z';
I='1';
II='2';
III='3';
IIII='4';
IIIII='5';
IIIIII='6';
IIIIIII='7';
IIIIIIII='8';
IIIIIIIII='9';
IIIIIIIIII='0';
li='.';
ii='<';
iii='>';
lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;
if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}
if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1)
{alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll+'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
</script>
</body>
</html>소스코드를 정리해봤다(찾아보니 크롬 개발자 도구에 이런 난독화...?된 부분을 처리해주는 기능이 있다고한다. 나는 노트패드...ㅎㅎ)
45번부터 풀어보면 아래와 같다.
lIllIllIllIllIllIllIllIllIllIl=o+l+d+z+o+m+b+i+e
lIIIIIIIIIIIIIIIIIIl=d+o+c+u+m+e=n+t+.+c+o+o+k+i+e
if(eval(document.cookie).indexOf(oldzombie==-1) {alert('bye');throw "stop";}
if(eval(document.URL).indexOf(mode=1)==-1)
{alert('access_denied');throw "stop";}
else{document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action='+j+o+i+n+.+p+h+p+'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+i+d+' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+p+w+'></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
5: cookie에서 oldzombie라는 단어가 몇개 있는지 찾는다.
6: URL에서 mode=1이라는 단어가 몇개 있는지 찾는다.
아무 id/pw를 만들어 등록해서 로그인 하면 끝!
일 줄 알았는데 아니네ㅎㅎadmin으로 로그인하기가 남았다.
join페이지로 가서 admin 계정을 등록하려하니 이미 존재한다고 한다.
injection으로 해결될 문제가 아니니 admin계정을 생성하되 admin이 아닌 id를 만들어야한다.
주석문자로 해결해보려 했지만 특수문자들 처리를 아주 꼼꼼히 해두셨다.
왜인지는 모르겠는데 위치에 따라 공백의 취급이 다르다.
이건 이유를 좀 찾아봐야겠다.
어쨌든 공백문자를 두고 admin을 쓰니 생성이 된다.
'보안 > webhacking.kr' 카테고리의 다른 글
| webhacking.kr old 2번 (0) | 2019.12.05 |
|---|