old-05 롸업(webhacking.kr)

Login 버튼을 누르면 move함수가 실행되면서 mem/login.php페이지로 이동한다.

Join 버튼을 누르면 no 함수가 실행되면서 Access Denied 가 뜬다.

로그인 페이지이다. 

로그인 버튼을 누르면 login.php로 id와 pw가 전달된다.

그냥 로그인 해봤는데 Wrong password라고 뜬다.

<html>
<head>
<title>Challenge 5</title>
</head>
<body bgcolor=black>
<center><font color=white>
Wrong password</font></font>
<font color=black>
.<p>
.<p>
.<p>
.<p>
.<p>
.<p>
.<p>
</font>
<form method=post action=login.php>
<input type=text name=id onmouseover=this.focus();><br>
<input type=password name=pw onmouseover=this.focus();><p>
<input type=submit style=border:0;background=gray;width:150 value='login' onmouseover=this.focus();>
</form>
</center>
</body>
</html>

login.php 파일이다.

개발자 도구의 source 탭에서 찾은 건데 그냥 html 파일에 있는 것과 똑같아 보인다.

로그인 url이 /mem/login.php이길래 그냥 /mem 링크로 접속해 보았다.

join.php로 접속했더니 이렇게 떴다.

bye라고 뜨길래 푼 줄 알았는데 아니었다.

l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) {alert('bye');throw "stop";}if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');throw "stop";}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=20></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+'></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}

elements를 확인해보니까 이런 코드가 있었다.

복잡해보이지만 a~z, 0~9, ., <, >를 변수에 담고 그 변수들을 이용해 조건문이 작성되어 있는 간단한 코드이다.

if(eval("document.cookie").indexOf("oldzombie") == -1) {
    alert('bye');
    throw "stop";
}

if(eval("document.URL").indexOf("mode=1") == -1) {
    alert('access_denied');
    throw "stop";
} else {
    document.write('<font size=2 color=white>Join</font><p>');
    document.write('.<p>.<p>.<p>.<p>.<p>');
    document.write('<form method=post action=' + 'submit' + '>');
    document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + 'name' + ' maxlength=20></td></tr>');
    document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + 'password' + '></td></tr>');
    document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}

변수 선언 부분을 빼고 복잡한 변수명을 전부 정의된 문자로 바꿔서 해석해보면 이런 코드가 나온다.

쿠키 값을 조작하고 url도 바꿔주면 이렇게 가입을 할 수 있는 창이 뜬다.

그냥 id, password를 ddd, ddd로 하고 가입을 해준 뒤 로그인을 해봤더니

이렇게 뜬다.

다시 돌아가서 admin, admin으로 가입을 하려고 했더니 id already exist라고 떠 버린다.

여기서 한참 고민했는데 admin으로 가입을 해야 하는데 id가 이미 존재한다. 

그러면 다른 id로 로그인을 해야 하는데 admin으로 인식이 되어야 하기 때문에

공백+admin으로 id를 만들어서 가입을 했더니 가입에 성공했다.

그리고 로그인을 해봤더니

풀렸다.