webhacking/client

webhacking.kr 5번

qkqhxla1 2014. 8. 19. 15:21

로그인 버튼 눌렀을시 경로

/challenge/web/web-05/mem/login.php

조인버튼 누르면 alert창이 뜸. 이것저것 해보다가 /challenge/web/web-05/mem/ 까지만 입력해보면

디렉터리 리스팅 취약점 발견


join.php들어가서 소스코드 확인.

<script>

l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;

lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) { bye; }if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');history.go(-1);}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll

+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=5></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+' maxlength=10></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}

</script>

http://jsbeautifier.org/

에서 한번 해독해보면

보기좋게 나옴. 중간즈음의 if문에서 어떤 검사를 해서 아닐시 alert으로 출력하고 history.go(-1); 로

되돌다온다는걸 알수있음. 그냥 저부분은 자바스크립트이므로 우회할수 있다고 생각하고 폼 정보만

살펴보면

document.write('<font size=2 color=white>Join</font><p>');

        document.write('.<p>.<p>.<p>.<p>.<p>');

        document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll + '>');

        document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=5></td></tr>');

        document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + ' maxlength=10></td></tr>');

        document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');

변수 값을 알아보려면 위에 예쁘게 해독된 자바스크립트에서 변수 부분만 가져와서 개발자도구에서

돌려봄.


폼을 다시 만들어보면

<form method=post action=join.php>

<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=5></td></tr>

<tr><td><font color=gray>pass</font></td><td><input type=text name=pw maxlength=10></td></tr>

<tr align=center><td colspan=2><input type=submit></td></tr></form></table>


즉 우리는 webhacking.kr/challenge/web/web-05/mem/join.php 에 id와 pw값을 잘 변조해서 보내면 됨.

그런데 admin이라고 가입하면 안됨.. 위의 폼 정보에서 id maxlength도 5라서 더이상 늘릴수가 없지만

프록시에서 뒤에 공백 하나 주고 값을 보내면 클리어..


다른 방법.

if (eval(lIIIIIIIIIIIIIIIIIIl)

    .indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1)

    if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L')

        .indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {

        alert('access_denied');

        history.go(-1);

    }

에서 어떤 두가지 조건이 안맞으면 alert창을 출력하고 다시 되돌아오는데 해당 조건을 

만족시켜주면 됩니다. 아까와 같은 방법으로..


if (eval(document.cookie)

    .indexOf(oldzombie) == -1)

    if (eval(document.URL)

        .indexOf(mode=1) == -1) {

        alert('access_denied');

        history.go(-1);

    }

쿠키에서 oldzombie라는 쿠키값이 없거나 url에서 mode=1이라는 문자열을 찾을수 없으면 alert창을 

출력하고 다시 되돌아옴. 쿠키에서 oldzombie를 추가해주고, ?mode=1를 붙여 주시면 될겁니다.

'webhacking > client' 카테고리의 다른 글

codeshell.kr readonly  (0) 2014.09.24
webhacking.kr 12번  (0) 2014.08.31
webhacking.kr 12번  (0) 2014.08.15
webhacking.kr 1번.  (0) 2014.08.11
webhacking.kr 6번  (0) 2014.08.10