join버튼을 누르면 access_denied가 뜬다.
login버튼을 눌러 guest나 admin등을 입력해봤는데 wrong passoword만 떴다.
개발자모드로 처음 페이지의 소스코드를 확인해봤다.
<input type=button value='Login' style=border:0;width:100;background=black;color=green onmouseover=this.focus(); onclick=move('login');>
<input type=button value='Join' style=border:0;width:100;background=black;color=blue onmouseover=this.focus(); onclick=no();>
<script>
function no()
{
alert('Access_Denied');
}
function move(page)
{
if(page=='login') { location.href='mem/login.php'; }
}
</script>
</center>no함수와 move함수로 인해 아까처럼 작동한 거였다.
더 이상 할 수 있는 건 없어보여서 login.php페이지로 돌아갔다.
여기서 mem/login.php로 들어가고 있는데, mem/join.php로 들어가보기로 했다.
들어가면 알림창이 뜬다.
아주 얄밉기 그지없다.
소스코드를 살펴보면 다음과 같이 난독화된 코드를 볼 수 있다.
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
코드 정리해주는 사이트에 코드를 넣었다.
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert('bye');
throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll +
'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}해석한 결과
lIIIIIIIIIIIIIIIIIIl = document.cookie
lIllIllIllIllIllIllIllIllIllIl = oldzombie
if (eval(oldzombie).indexOf(document.cookie) == -1) {
alert('bye');
throw "stop";
}
if (eval(document.URL).indexOf(mode=1) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action='join.php'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='id' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='pw'></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}힘들게 숫자를 맞춰가며 풀었건만,, 콘솔을 이용하면 간단하게 풀 수 있다는 걸 알게 됐다.
일단 첫번째 if문은 oldzombie라는 쿠키값을 주라는 것 같다.
url에 mode=1을 추가하라는 건 파라미터로 보내봤다.
?mode=1
join페이지가 나타났다!!
admin으로 join해봤는데 이미 있는 id라고 했다.
abc/abc로 가입했다.
가입성공!
login.php로 돌아가 abc/abc로 로그인해봤다.
끝인줄 알았는데 admin으로 로그인해야하나보다.
다시 join페이지로 돌아왔다.
max length를 이용하는 건가 싶었는데 길이가 제한되어 있는 것 같았다.
버프슈트를 이용했다.
admin뒤에 공백(%20)을 두 개 넣고 NULL(%00)문자까지 넣어서 가입했다.
id=admin%20%20%00&pw=1
위와 같은 문구가 뜨면서 가입이 완료된다.
다시 login.php로 이동해 버프슈트로 아까와 같은 방법으로 로그인한다.
문제를 해결할 수 있었다!
처음에는 admin%20%00 / pw=1로 가입했다.
로그인할 때 hello admin이 떠서 성공한 줄 알았는데 login plz 안내창이 떠서 확인을 눌렀더니 webhacking.kr사이트로 로그아웃된 채 이동됐다.
그래서 admin%20%20%00으로 다시 시도했다.
※이 방법 말고 공백을 앞에 삽입하는 방법도 있다.
(공백)admin으로 가입하고 로그인할 때도 (공백)admin으로 로그인하면 문제가 풀린다.
'Web Hacking > Webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] old-23 (0) | 2021.09.20 |
|---|---|
| [Webhacking.kr] old-17 (0) | 2021.09.20 |
| [Webhacking.kr] old-46 (0) | 2021.09.12 |
| [Webhacking.kr] challenge{old-26} (0) | 2021.07.22 |
| [Webhacking.kr] Challenge{old-02} (0) | 2021.07.22 |