우선은 이곳저곳 눌러보면서 분석을 해보았다.
Join을 눌렀을때는 접근할수 없다는 알림이 나왔고
Login은 로그인 부분이 있어 sqlinjection인가 생각도 해보았다.
다른페이지도 없어보이고 join에 들어간다음 스크립트를 보니
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';
I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';
li='.';ii='<';iii='>';
lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;
if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}
if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1)
{alert('access_denied');throw "stop";}
else
{document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll+'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}다음과 같은 스크립트가 들어있었다.
이를 console창과 함께 조사해보니
위는 cookie에 oldzombie가 있는지 검사하는구문
아래는 url에 mode=1이 있는지 확인하는 구문이다.
따라서 cookie에 oldzombie
주소는 https://webhacking.kr/challenge/web-05/mem/join.php?mode=1 다음과 같이 적용하니
다음과 같이 새로운 아이디생성 창이 나온다.
저 창에서 아이디를 만들고 로그인 페이지에서 로그인을 하면
admin으로 로그인을 해달라고 한다.
따라서 다시 join페이지로 가서 admin을 만드려고하니
admin은 이미 있는 아이디라고한다.
버프 스위트를 이용하여 입력된 admin을 속이기위해서 %00, %20 (NULL)을 집어넣어서
admin으로 인식하게 만들어주고
로그인도 같은 방식으로 진행하면 통과할 수 있다.
고찰 : 소스코드를 분석해서 join까지는 잘 풀어 낼 수 있었지만 admin을 속이는 부분을 인지하지 못하여 답을 참고하고야말았다.
'정보보안 > Webhacking.kr' 카테고리의 다른 글
| 04[Webhacking.kr] (0) | 2022.09.23 |
|---|---|
| 03[Webhacking.kr] (0) | 2022.09.22 |
| 02[Webhacking.kr] (0) | 2022.09.21 |
| 01[Webhacking.kr] (0) | 2022.09.21 |
