본문으로 바로가기

webhacking 5번 문제풀이

category CTF/webhacking.kr 2021. 9. 19. 02:17

https://webhacking.kr/challenge/web-05/

 

Challenge 5

 

webhacking.kr

첫 페이지에서 로그인과 회원가입 중 먼저 회원가입부터 하고 로그인을 하는 거로 유추합니다.

join 클릭시 alert 경고창으로 접속이 거부됩니다.

소스코드 확인시 login을 누르면 mem/login.php로 진입하므로 join이 있음을 확인하고 mem/join.php로 접근을 시도해봅니다.

진입시 alert으로 진입 거부. 소스코드를 통해 소스를 확인해봅니다.

자바스크립트단이 알아보기 힘들게 되어있습니다. 난독화된 코드임을 확인 할 수 있습니다.

<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>

난독화 해제 사이트를 이용합니다.

https://www.strictly-software.com/unpack-javascript

 

Javascript Unpacker Tool - Strictly Software

This Javascript unpacker tool has now been upgraded to allow it to unpack multiple eval statements. So if your packed code has itself been packed a few times it will loop through until it finds the original source code. If you want to test this multiple ev

www.strictly-software.com

< html > <title > Challenge 5 < /title></head > <body bgcolor = black > <center > <script > l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
	alert('bye');
	throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
	alert('access_denied');
	throw "stop";
} else {
	document.write('<font size=2 color=white>Join</font><p>');
	document.write('.<p>.<p>.<p>.<p>.<p>');
	document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll + '>');
	document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
	document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
	document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
} < /script>
</body > </html>

난독화에서 풀지 못한 부분들을 console에 입력하면 실제 평문이 나옵니다.

난독화 해제시 oldzombie가 쿠키에 존재하며 url에 mode=1이 존재해야한다.

if(eval(document.cookie).indexOf(oldzombie) == -1){ // oldzombie라는 단어가 cookie에 존재하지 않으면 bye
    alert('bye');
    throw "stop";
}
if(eval(document.URL).indexOf(mode=1)==-1){ // url 뒤에 mode=1가 없으면 전페이지로 이동
    alert('access_denied');
	throw "stop";
}

oldzombie를 쿠키에 추가 후 https://webhacking.kr/challenge/web-05/mem/join.php?mode=1 mode=1을 url에 붙힌다.

testtest라는 아이디를 만들었지만 admin 아이디가 요구되므로 다시 admin으로 회원가입하러 가야합니다.

php는 공백을 넣은 단어를 다른 문자열로 인식합니다. admin에 공백 추가하여 회원가입

끝~

저작자표시 (새창열림)

'CTF > webhacking.kr' 카테고리의 다른 글

webhacking.kr 1번 문제  (0) 2021.09.05
댓글 , 엮인글
정보보안과 개발 일기장
블로그 이미지 코딩no예 님의 블로그
MENU
CATEGORY
VISITOR 오늘 / 전체

티스토리툴바