old-05 (300)

첫 화면이다.

어떤 값으로든 로그인 시도를 하면 Wrong password라는 문구가 나온다.

현재 URL이 https://webhacking.kr/challenge/web-05/mem/login.php 인데 https://webhacking.kr/challenge/web-05/mem/ 으로 접속한다.

join.php를 클릭하고 페이지 소스를 보면 아래와 같다.

<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<script>
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
</script>
</body>
</html>

난독화 되어 있는 것을 보기 좋게 나타내면 아래와 같다.

if (eval('document.cookie').indexOf('oldzombie') == -1) {
    alert('bye');
    throw "stop";
}
if (eval('document.URL').indexOf('mode=1') == -1) {
    alert('access_denied');
    throw "stop";
}
else {
    document.write('<font size=2 color=white>Join</font><p>');
    document.write('.<p>.<p>.<p>.<p>.<p>');
    document.write('<form method=post action=join.php>');
    document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=id maxlength=20></td></tr>');
    document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=pw></td></tr>');
    document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}

oldzombie라는 이름의 쿠키를 만들고 URL에 ?mode=1 을 붙여 https://webhacking.kr/challenge/web-05/mem/join.php?mode=1 으로 접속하면 아래와 같은 화면이 나온다.

id가 admin이 아닌 값으로 회원가입을 하고 로그인을 하면 ' You have to login as admin'이라는 문구가 뜬다.

id를 admin으로 하여 회원가입하려고 하면 'id already existed'라는 문구가 뜬다.

id를 입력할 때 그냥 admin이 아니라 띄어쓰기 + admin을 입력하면 회원가입도 되고, 로그인도 되어 문제가 풀린다.

Previousold-04 (300)Nextold-06 (100)

Last updated 5 years ago

Was this helpful?