Challenge 5에는 Login과 Join버튼이 있다.
Login버튼을 누르면 로그인 할 수 있는 form이 생긴다.
Join버튼을 누르면 Access_Denied라는 알림창이 뜬다.
회원가입 페이지로 진입이 안되는걸 봐선 문제를 해결하려면 Join페이지로 진입해야 할 거 같다.
버튼 클릭으로는 진입이 안되니 URL로 진입해보았다.
다음은 로그인 페이지의 URL이다. 해당 URL에서 login.php만 지워보았다.
그러면 아래와 같은 페이지로 이동된다.
join.php가 보인다. 해당 페이지로 이동해봤다.
alert창이 뜨고, 확인을 누르면 검은 화면이 나온다.
소스코드를 확인해봤다.
소스코드 난독화가 되어있다.
일단 개행먼저 해주자.
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert('bye');
throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll +
'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}JavaScript Beautifier를 이용하여 개행
위 코드에서 l과 I로 이루어진 변수부분을 개발자도구 console창을 이용해서 해석했다.
if (eval(document.cookie).indexOf(oldzombie) == -1) {
alert('bye');
throw "stop";
}
if (eval(document.URL).indexOf(mode=1) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=join.php>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=pw></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
위 소스코드를 해석하면 아래와 같다.
1. oldzombie라는 쿠키가 존재해야 한다.
2. URL에 mode=1이라는 문자열이 존재해야 한다.
oldzombie라는 쿠키를 추가했다.
그다음은 URL뒤에 ?mode=1을 추가했다.
회원가입 페이지로 이동됐다.
아무 계정이나 만들어보고 Login해봤다.
정상적으로 로그인이 된다.
이제 문제 해결을 위해서는 admin으로 로그인해야 한다.
admin으로 회원가입을 시도해봤지만,
역시 회원가입이 되지 않는다.
다른 방법을 사용하여 우회해야 할 거 같다.
admin앞에 공백을 넣고 다시 시도해봤다.
이번엔 회원가입에 성공했다.
회원가입한 정보를 그대로 입력해주고 login버튼을 누르면,
Challenge 5 해결!
'Study > Web Hacking' 카테고리의 다른 글
| [Webhacking.kr] old-08 (0) | 2021.09.18 |
|---|---|
| [Webhacking.kr] old-03 (0) | 2021.09.18 |
| [Webhacking.kr] old-07 (0) | 2021.09.11 |
| [natas] Level 26 -> Level 27 (0) | 2021.08.24 |
| [LOS] nightmare (0) | 2021.08.24 |