webhakcing.kr - old 5번 - WriteUp

4번은 거의다 풀었지만 아직 Rainbow table이 완성이 안되서 작성을 못하고 있네요 ㅠㅠ

일단 5번 문제를 봅니다.

들어가 보면 Login 과 Join 버튼이 존재 하는 것을 볼 수 있습니다.

이때 Join 버튼은 실제로 이동을 하지 않고 경고 Alert만 발생하도록 되어 있습니다.

주소/mem/login.php 로 이동하니 위와 같이 로그인 창이 있고 sql injection 점검 문자열을 날려보았을 때 반응이 없습니다.

join 버튼이 존재 한다는 것은 join.php가 존재 한다는 것이니 주소/mem/join.php 로 들어가 봅니다.

bye경고가 뜨고 바로 종료가 되는 것을 볼 수 있습니다.

<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>

response를 보니 js가 난독화 되어 있는 것을 볼 수 있습니다.

l='a';
ll='b';
lll='c';
llll='d';
lllll='e';
llllll='f';
lllllll='g';
llllllll='h';
lllllllll='i';
llllllllll='j';
lllllllllll='k';
llllllllllll='l';
lllllllllllll='m';
llllllllllllll='n';
lllllllllllllll='o';
llllllllllllllll='p';
lllllllllllllllll='q';
llllllllllllllllll='r';
lllllllllllllllllll='s';
llllllllllllllllllll='t';
lllllllllllllllllllll='u';
llllllllllllllllllllll='v';
lllllllllllllllllllllll='w';
llllllllllllllllllllllll='x';
lllllllllllllllllllllllll='y';
llllllllllllllllllllllllll='z';
I='1';
II='2';
III='3';
IIII='4';
IIIII='5';
IIIIII='6';
IIIIIII='7';
IIIIIIII='8';
IIIIIIIII='9';
IIIIIIIIII='0';
li='.';
ii='<';
iii='>';

lIllIllIllIllIllIllIllIllIllIl="oldzombie";
lIIIIIIIIIIIIIIIIIIl="document.cookie";

if(eval(document.cookie).indexOf(oldzombie)==-1) {
    alert('bye');throw "stop";
}
if(eval("document.URL").indexOf("mode=1")==-1){
    alert('access_denied');throw "stop";
    }else{
        document.write('<font size=2 color=white>Join</font><p>');
        document.write('.<p>.<p>.<p>.<p>.<p>');
        document.write('<form method=post action=join.php>');
        document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=20></td></tr>');
        document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=pw></td></tr>');
        document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}

난독화를 복호화 시켜 보니 cookie에 oldzombie 가 있어야 하고 url에 mode=1으로 요청을 하고 있어야지 입력창을 생성해주는 모습을 볼 수있습니다.

이제 공격을 시도 합니다.

id=%20%20admin&pw=admin 형태로 공백을 추가 하여 join을 합니다. 이제 로그인을 하면 admin으로 인식하여 로그인이 됩니다.