5번 문제에요.
배점은 300점, 분야는 DB에요.
로그인 버튼과 가입버튼이 있네요.
로그인 버튼을 누르면 저런 창이 뜨네요.
가입버튼을 누르면 저런 창이 떠요.
로그인페이지의 주소가
https://webhacking.kr/challenge/web-05/mem/login.php
이니
https://webhacking.kr/challenge/web-05/mem/
로 접근을 해봤어요.
????
join.php로 가봐야겠네요.
빠밤!
이 뜨는데 다른 페이지로 리디랙션되지는 않았어요.
그럼 이 페이지에 뭔가가 더 있겠군요!
F12를 눌러서 코드를 보니 저런 끔찍한 코드가 있네요.
줄을 정리해보면
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert('bye');
throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll +
'>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
|
cs |
이렇게 되네요.
lIIIIIIIIIIIIIIIIIIl 에서 lIllIllIllIllIllIllIllIllIllIl 를 찾을수 없으면 쫓아내고.
llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L' 에서 lllllllllllll + lllllllllllllll + llll + lllll + '=' + I
를 찾을수 없으면 또 쫓아내네요.
이게뭐야
저걸 머리로 푸는데에는 한계가 있으니 콘솔을 이용할거에요.
lIIIIIIIIIIIIIIIIIIl 는 document.cookie
lIllIllIllIllIllIllIllIllIllIl 는 oldzombie
llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L' 은 document.URL
lllllllllllll + lllllllllllllll + llll + lllll + '=' + I 는 mode=1 이네요.
그러니 oldzombie 라는 이름의 쿠키가 존재하면 첫번째 인증을 통과할수 있고.
mode=1 을 넘겨주면 두번째 인증을 통과하고 가입을 시도할수 있겠군요!
쿠키를 구워주고,
URL에 mode=1 을 넘겨주면?
가입을 할수 있네요.
그럼 가입을 하고,
가입을 해보면 admin 으로 로그인을 하래요.
admin 으로 가입을 시도해봤지만
빠밤!
이미 사용중인 id 라네요.
그러면 " admin" 으로 앞에 공백문자를 끼워넣어서 시도해본다면?
빠밤!
이제 아까 가입한 admin 으로 로그인을 시도하면?
빠밤!
문제가 풀렸네요.
'연구글 > webhacking.kr' 카테고리의 다른 글
| webhacking.kr Challenge(old) 7 / DB (0) | 2020.08.20 |
|---|---|
| webhacking.kr Challenge(old) 6 / Computing (0) | 2020.08.20 |
| webhacking.kr Challenge(old) 4 / Computing (0) | 2020.08.20 |
| webhacking.kr Challenge(old) 3 / DB (0) | 2020.08.20 |
| webhacking.kr Challenge(old) 2 / DB (0) | 2020.08.20 |