# old-05 (300)

첫 화면이다.

![](/files/-LymLYeJTjtzQBNUETgx)

Login 버튼을 클릭하면 아래와 같은 폼이 나온다.

![](/files/-LymLgSJaby_kPMUXbmX)

어떤 값으로든 로그인 시도를 하면 Wrong password라는 문구가 나온다.

현재 URL이 <https://webhacking.kr/challenge/web-05/mem/login.php> 인데 [https://webhacking.kr/challenge/web-05/mem/](https://webhacking.kr/challenge/web-05/mem/login.php) 으로 접속한다.

![](/files/-LymT9Dmr-Vghu4VZW3k)

join.php를 클릭하고 페이지 소스를 보면 아래와 같다.

```markup
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>
```

난독화 되어 있는 것을 보기 좋게 나타내면 아래와 같다.

```javascript
if (eval('document.cookie').indexOf('oldzombie') == -1) {
    alert('bye');
    throw "stop";
}
if (eval('document.URL').indexOf('mode=1') == -1) {
    alert('access_denied');
    throw "stop";
}
else {
    document.write('<font size=2 color=white>Join</font><p>');
    document.write('.<p>.<p>.<p>.<p>.<p>');
    document.write('<form method=post action=join.php>');
    document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=20></td></tr>');
    document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=pw></td></tr>');
    document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
```

oldzombie라는 이름의 쿠키를 만들고 URL에 `?mode=1` 을 붙여 <https://webhacking.kr/challenge/web-05/mem/join.php?mode=1> 으로 접속하면 아래와 같은 화면이 나온다.

id가 admin이 아닌 값으로 회원가입을 하고 로그인을 하면 ' You have to login as admin'이라는 문구가 뜬다.

id를 admin으로 하여 회원가입하려고 하면 'id already existed'라는 문구가 뜬다.

id를 입력할 때 그냥 admin이 아니라 띄어쓰기 + admin을 입력하면 회원가입도 되고, 로그인도 되어 문제가 풀린다.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/webhacking.kr/old-05-300.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.