목표 : 소스코드 난독화 해제, NULL 값 활용
로그인 및 가입 페이지만 주어져있고 별다른 기능은 보이지 않는다.
로그인 기능에서는 아무 아이디나 비번을 입력하면 wrong passwd를 띄우고
조인 기능은 접근이 불허돼있다.
로그인 페이지 주소가
이므로 join은 join.php라고 생각하고 접속을 해보면
쫓아낸다.
소스 값을 확인해보면 난독화가 돼있는걸 확인할 수 있는데, 좀 간단한 난독화에 속한다.
<html>
<title>Challenge 5</title>
</head>
<body bgcolor=black>
<center>
<script>
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert('bye');
throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll + '>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
</script>
</body>
</html>
Python
복사
그냥 한줄 씩 따라가면서 크롬 콘솔(F12)에서 실행해보면 된다.
if (eval('document.cookie').indexOf('oldzombie') == -1) {
alert('bye'); throw "stop";
} if (eval('document').URL.indexOf('mode=1') == -1) {
alert('access_denied'); throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + 'join.php' + '>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + 'id' + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + 'pw' + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
Python
복사
이런식으로 난독화돼있는 코드를 해독이 가능하고
URL에 mode=1이, 쿠키 값에는 oldzombie가 있으면 else로 진입이 가능하다.
끝이 아니었다. join 페이지에 접근을 성공했다.
id : aaaaa, pw : aaaaa 로 우선 가입을 성공했다.
login.php로 돌아가 aaaaa로 로그인을 해보면
admin으로 로그인을 하라고 한다.
admin으로 가입을 하려고 시도하면 당연하게도 이미 있는 아이디라고 한다.
admin 앞 뒤에 NULL 값을 붙여 회원가입을 해보자
Burp 켜기가 귀찮아 일단 앞 뒤 공백부터 시도해봤는데 이게 가입이 된다.
당혹스럽긴하지만 풀었다.
︎ 더 많은 게시물을 보려면