문제 서버에 접소하면 위와 같이 로그인과 회원가입 창이 있다. Join 창을 누르면 Access Dineid 라는 문구가 출력된다.
로그인 창을 누르면 /mem/login.php에 접속된다.
/mem 페이지로 접근하면 join.php가 디렉토리에 출력된다.
join.php에 접근하면 bye 라는 문구가 출력되고 검은색 화면이 출력된다. 아래는 해당 페이지의 소스이다.
<html><head><title>Challenge 5</title></head><body bgcolor="black"><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</center></body></html>
위 스크립트를 정리하면 아래와 같다.
if(eval(document.cookie).indexOf(oldzombie)==-1)
{
alert('bye');
throw "stop";
}
if(eval(document.URL).indexOf(mode=1)==-1)
{
alert('access_denied');throw "stop";}
else
{
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=join.php>);
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=pw></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
</script>
첫번째 if 조건문을 통과하려면 oldzombie라는 변수가 존재해야한다. 위와 같이 쿠키에 변수를 추가하고 새로고침한다.
이번에는 bye 대신 access_denied라는 문구가 출력된다. 두 번째 조건문을 보면 URL에 mode=1가 있으면 조건을 통과할 수 있다.
https://webhacking.kr/challenge/web-05/mem/join.php?mode=1 을 입력하면 회원가입 페이지에 접근할 수 있다.
아이디를 만들고 로그인하면 관리자 계정으로 로그인해야한다는 문구가 출력된다.
다시 admin으로 아이디를 만드려고하면 이미 존재하는 아이디라고 하므로 " admin" 처럼 admin 앞에 공백을 넣고 입력을 하면 admin 아이디가 만들어진다. 로그인하면 old-05 Pwned! 문구가 출력된다.
'웹 해킹 > Webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] old-07 (0) | 2021.08.27 |
|---|---|
| [Webhacking.kr] old-06 (0) | 2021.08.27 |
| [Webhacking.kr] old-04 (0) | 2021.08.26 |
| [Webhacking.kr] old-03 (0) | 2021.08.26 |
| [Webhacking.kr] old-02 (0) | 2021.08.25 |
댓글