Notice
Recent Posts
Recent Comments
Link
«   2024/11   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Archives
Today
Total
관리 메뉴

아모에요

[webhacking.kr] old-05 본문

Study/Hacking

[webhacking.kr] old-05

dys4nt 2023. 6. 13. 21:53

접속하면 login, join 두개의 버튼이 존재하고 join은 작동을 안한다.

 

login.php에 들어가봐서 온갖 SQLi를 시도해도 먹히지 않는다.

뭔가 힌트를 얻을 수 있을까 싶어 /web-05/mem/에 접속해보았더니 보이지 않던 join.php가 존재함을 알 수 있다.

 

join.php에는 괴상한 자바스크립트가 존재하는데 이를 뷰티파이어에 넣고 분석해보자.

<
script >
    l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
    alert('bye');
    throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
    alert('access_denied');
    throw "stop";
} else {
    document.write('<font size=2 color=white>Join</font><p>');
    document.write('.<p>.<p>.<p>.<p>.<p>');
    document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll +
        '>');
    document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
    document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
    document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
} <
/script>

여기서 필요하다고 생각한 부분은 form으로 post 메서드를 실행할 수 있도록 form을 write하는 함수가 적힌 코드이다. 이를 개발자 도구의 콘솔창에다 실행시켜보면 바로 회원가입 폼이 나타난다.

 

id pass에 일단 아무값이나 대입하면 회원가입이 되는데, login.php에 가서 로그인을 하라 하면 admin으로 로그인을 하라고 한다.

 

우회 방법을 생각하던중 admin앞에 공백을 하나 넣어보았더니 회원가입이 되면서 익스플로잇이 된다.

 

회원가입한 아이디랑 비번으로 로그인하면 문제가 풀린다.

'Study > Hacking' 카테고리의 다른 글

[SECGAME] Response  (0) 2023.06.13
[webhacking.kr] old-06  (0) 2023.06.13
[webhacking.kr] old-04  (0) 2023.06.13
[webhacking.kr] old-03  (0) 2023.06.13
[webhacking.kr] old-02  (0) 2023.06.13