본문 바로가기
웹 해킹/webhacking.kr

webhacking.kr 5번

by sonysame 2018. 2. 14.

join에는 들어가지지가 않는다


login은 들어가지는데,

그 url이

http://webhacking.kr/challenge/web/web-05/mem/login.php이다


그래서

http://webhacking.kr/challenge/web/web-05/mem에 들어가보았다


즉, /mem/join.php가 존재한다는것을 알 수 있었다


http://webhacking.kr/challenge/web/web-05/mem/join.php에 들어가보니 까만 페이지가 나오는데,


페이지 소스 코드를 확인하니


<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) { bye; }if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');history.go(-1);}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=5></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+' maxlength=10></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>


이 나왔다!


정리하면 다음과 같다!

<!DOCTYPE html>


<html>

<title>Challenge 5</title></head><body><center>

<script>

l='a';

ll='b';

lll='c';

llll='d';

lllll='e';

llllll='f';

lllllll='g';

llllllll='h';

lllllllll='i';

llllllllll='j';

lllllllllll='k';

llllllllllll='l';

lllllllllllll='m';

llllllllllllll='n';

lllllllllllllll='o';

llllllllllllllll='p';

lllllllllllllllll='q';

llllllllllllllllll='r';

lllllllllllllllllll='s';

llllllllllllllllllll='t';

lllllllllllllllllllll='u';

llllllllllllllllllllll='v';

lllllllllllllllllllllll='w';

llllllllllllllllllllllll='x';

lllllllllllllllllllllllll='y';

llllllllllllllllllllllllll='z';

I='1';

II='2';

III='3';

IIII='4';

IIIII='5';

IIIIII='6';

IIIIIII='7';

IIIIIIII='8';

IIIIIIIII='9';

IIIIIIIIII='0';

li='.';

ii='<';

iii='>';

lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;

lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;

document.write(lIllIllIllIllIllIllIllIllIllIl); //oldzombie


document.write(lIIIIIIIIIIIIIIIIIIl); //document.cookie


if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) { document.write("bye"); }


a=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L';

document.write(a); //document.URL

b=lllllllllllll+lllllllllllllll+llll+lllll+'='+I;

document.write(b);//mode=1


//document.URL에 mode=1이ㅣ 포함되어 있지 않으면 access_denied

c=llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll

+'>';

document.write(c);//join.php>

d=lllllllll+llll;

document.write(d);//id

e=llllllllllllllll+lllllllllllllllllllllll;

document.write(e);//pw


if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');history.go(-1);}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll

+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=5></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+' maxlength=10></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}


</script>

</body>

</html>


http://webhacking.kr/challenge/web/web-05/mem/join.php?mode=1하고,

document.Cookie에 oldzombie를 넣어주면 회원가입 창이 뜬다!



PHPSESSID가 바뀌면 안되므로,

그냥 아무 이름으로 추가해줬다!


그리고 admin으로 회원가입해줘야 하는데, 이미 있는 아이디라고 나오고 가입이 안된다!

admin%20

으로 버프수트를 이용해서 가입을 하면 가입이 성공한다!

그러면, admin으로 로그인할 수 있다!


 

끝!


'웹 해킹 > webhacking.kr' 카테고리의 다른 글

webhacking.kr 7번-UNION SQL INJECTION  (0) 2018.02.14
webhacking.kr 56번  (0) 2018.02.12
webhacking.kr 51번-md5 취약점  (0) 2018.02.12
webhacking.kr 43번  (0) 2018.02.12
webhacking.kr 41번  (0) 2018.02.12

관련글

티스토리툴바