2024. 2. 1. 21:33ㆍwebhacking.kr
Login, Join 두 가지 버튼이 있습니다
우선 Join부터 눌러봤습니다
Access_Denied가 뜨면서 접근이 되지 않습니다
바로 코드를 확인해 봤습니다
Join 버튼에 no() 함수로 onclick 이벤트가 달려있어서 "Access_Denied"가 떴던 거였네요
move() 함수를 보면 페이지가 로그인 페이지일 때, mem/login.php로 넘어간다고 합니다
왠지 mem/join.php 페이지가 있을 것 같으니, 넘어가 보겠습니다
이런 팝업창이 뜬 후에 검은 화면만 나옵니다
코드를 확인해 봤습니다
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>코드가 너무 길어서 코드블럭으로 가져왔습니다
줄 바꿈이 하나도 안돼있네요;;
개발자도구 콘솔창에 코드 입력하며 난독화를 풀어야겠습니다
if(eval(document.cookie).indexOf(oldzombie)==-1) {
alert('bye');
throw "stop";
}
if(eval(document.URL).indexOf(mode=1)==-1){
alert('access_denied');
throw "stop";
}
else{
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action='+'NaNoin.php>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+'id'+' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+'pw'+'></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}코드를 보기 좋게 정렬해서 가져왔습니다
쿠키에 "oldzombie"가 포함되면서 URL에 "mode=1"이 들어가 있어야 합니다
조건에 맞게 변경해 주겠습니다
쿠키와 파라미터를 추가해 주니 정상적인 회원가입 폼이 떴습니다
여기에 hello / hello로 회원가입을 해봤는데 admin으로 로그인을 해야 문제가 풀린다고 안내가 나옵니다
그래셔 가입을 해봤는데 admin이라는 계정이 이미 있다고 뜨네요
admin 뒤에 NULL을 붙인다던가 하는 방식으로 새로 계정을 만들어야 할 것 같습니다
NULL 문자를 붙이는 건 프록시를 써야 할 것 같으니 Burp Suite를 사용하겠습니다
가입이 됐습니다!
이 계정으로 login.php에 로그인하면 문제가 풀릴 듯합니다
