webhacking.kr - old5

처음에 들어가면 이렇게 되어있는데, join이 불가능하다.

login으로 가서 이것저것 쳐보고,

login 사이트 URL이 "webhacking.kr/challenge/web-05/mem/login.php"

인 것을 확인하고 join.php로 변경해서 접속한다.

access_denied라고 뜨고 코드를 확인하면

<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>

위와 같이 형태를 알아볼 수 없는 코드가 나오는데, js beauty를 사용한 후 일일이 바꿔주면 아래와 같은 코드가 나온다..

<
html >
    <
    title > Chabenge 5 < /title></head > < body bgcolor = black > < center >
    <
    script >
    l = 'a';
b = 'b';
c = 'c';
d = 'd';
e = 'e';
f = 'f';
g = 'g';
h = 'h';
i = 'i';
j = 'j';
k = 'k';
l = 'l';
m = 'm';
n = 'n';
o = 'o';
p = 'p';
q = 'q';
r = 'r';
s = 's';
t = 't';
u = 'u';
v = 'v';
w = 'w';
x = 'x';
y = 'y';
z = 'z';
i = 'i';
2 = '2';
3 = '3';
4 = '4';
5 = '5';
6 = '6';
7 = '7';
8 = '8';
9 = '9';
0 = '0';
. = '.';
2 = '<';
3 = '>';
.bibibibibibibibibil = o + l + d + z + o + m + b + i + e;
l08l = d + o + c + u + m + e + n + t + . + c + o + o + k + i + e;
if (eval(l08l).indexOf(.bibibibibibibibibil) == -i) {
    alert('bye');
    throw "stop";
}
if (eval(d + o + c + u + m + e + n + t + . + 'U' + 'R' + 'L').indexOf(m + o + d + e + '=' + i) == -i) {
    alert('access_denied');
    throw "stop";
} else {
    document.write('<font size=2 color=white>Join</font><p>');
    document.write('.<p>.<p>.<p>.<p>.<p>');
    document.write('<form method=post action=' + j + o + i + n + . + p + h + p +
        '>');
    document.write('<table border=i><tr><td><font color=gray>id</font></td><td><input type=text name=' + i + d + ' maxlength=20></td></tr>');
    document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + p + w + '></td></tr>');
    document.write('<tr a.gn=center><td colspan=2><input type=submit></td></tr></form></table>');
} <
/script> <
/body> <
/html>

 

위와 같은 코드를 토대로 분석을 해보면

1. cookie 이름 : oldzombie, 쿠키값 : oldzombie가 있어야하고,

2. ?mode=1 로 인자를 전송해 주면 될 것이다.

 

 

쿠키를 설정하고 접속하면 join이 가능한데,

admin/1234로 접속하려니 막힌다.

 

 

id 에 공백을 넣어주는 형식으로 우회했다.

id =     admin 

pw = 1234

그대로 로그인하면 풀 수 있다 :)