728x90
✏️ Check
문제에서 제공하는 사이트에 접속하면 다음과 같이 Login 버튼과 Join 버튼이 있다.
Login 버튼을 선택하면 말그대로 로그인을 할 수 있는 창이 나타난다.
Join 버튼을 선택하면 Access_Denied 의 알림창이 나타난다.
<html>
<head>
<title>Challenge 5</title>
</head>
<body bgcolor=black>
<center>
<font color=black>
.<p>
.<p>
.<p>
.<p>
.<p>
.<p>
.<p>
</font>
<input type=button value='Login' style=border:0;width:100;background=black;color=green onmouseover=this.focus(); onclick=move('login');>
<input type=button value='Join' style=border:0;width:100;background=black;color=blue onmouseover=this.focus(); onclick=no();>
<script>
function no()
{
alert('Access_Denied');
}
function move(page)
{
if(page=='login') { location.href='mem/login.php'; }
}
</script>
</center>
</body>
</html>가장 첫 페이지의 소스코드는 위와 같다.
Join 버튼을 눌렀을 때, join.php 등의 페이지로 넘어가는 것이 아니라 무조건 no()라는 함수가 호출되어 경고창만 출력되도록 되어 있다.
🔎 Analyze
📑 login.php
일단 접속할 수 있는 Login 페이지에서 분석을 시작했다.
아무 ID와 PW를 입력하면 Wrong password라는 문구와 함께 로그인이 되지 않는다.
여기서 주목해볼만한 부분은 URL이다.
https://webhacking.kr/challenge/web-05/mem/login.php
위 URL에서 login.php만 지워보면 다음과 같이 Directory Listing이 되고, join.php라는 파일이 있음을 확인할 수 있다.
📑 join.php
join.php 파일에 접속하면 바로 bye라는 알림창이 출력되고 화면에는 아무것도 나타나지 않는다.
소스코드를 확인해보니
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>script 부분에 알기 어려운 형태로 코드가 작성되어 있다.
Online JavaScript beautifier
Beautify JavaScript, JSON, React.js, HTML, CSS, SCSS, and SASS
beautifier.io
위 사이트에서 JavaScript를 보기 편한 형태로 변환해준다.
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert('bye');
throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll +
'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}하나씩 해석할 필요 없이 join.php 페이지에서 콘솔창을 통해 각각 어떤 문자열인지 확인할 수 있다.
조건문에 포함된 문자열들만 확인해보면 다음과 같다.
다시 정리하면
- document.cookie에 oldzombie에 대한 값이 존재해야 한다.
- document.url 에는 "mode=1"이 포함되어야 한다.
위 조건들이 성립했을 때, 문제를 해결할 수 있다.
🔓 Exploit
이제 제대로 회원가입을 할 수 있게 됐다!
하지만 이렇게 하면 admin으로 로그인해야한다고 출력된다.
그래서 admin으로 회원가입하려하면 이미 존재하는 아이디라는 메세지가 출력된다.
Burpsuite를 이용해서 admin 뒤에 공백(%20)을 채워주자!
Proxy에서 인터셉트한 창에서 [Send to Repeater]를 선택하고 값을 변조하여 보내면 위와 같이 회원가입에 성공했다.
이제 다시 login 창으로 가서 admin / admin_elasjay로 로그인해보면
성공이닷!
SMALL
'Web > Web Hacking (Wargame)' 카테고리의 다른 글
| [webhacking.kr] old-10 (0) | 2023.01.24 |
|---|---|
| [webhacking.kr] old-07 (0) | 2022.12.23 |
| [webhacking.kr] old-06 (0) | 2022.12.21 |
| [webhacking.kr] old-02 (0) | 2022.12.17 |
| [Dreamhack] Carve Party (0) | 2022.04.24 |