wow hacker level7 writeup
TRANSCRIPT
![Page 1: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/1.jpg)
WOWHacker 문제풀이
Kknock S5 권혁규
![Page 2: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/2.jpg)
Level 1
문제
문제를 푼 순서
![Page 3: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/3.jpg)
Level 1 Clear!!
Auth = I love tiger mac
![Page 4: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/4.jpg)
Level 2
![Page 5: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/5.jpg)
Level 2
• 현재 로그인도 안되어있다.
• 권한이 있다.
• 그럼 쿠키를 보면..?? 뭔가 나오지않을까.
• 쿠키를 보는 툴중엔 Cooxie라는 툴바가 있다. 이를 이용해서 보면 다음과 같이 생겼다.
• User_level을 5로 바꿔준다.
-> 세션을 쓰진 않는 것 같다.-> 쿠키 같은 것에 권한이 있을
것이다.
![Page 6: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/6.jpg)
Level 2
그 후 문제풀이법입니다! 라는 글을 본다.
다운로드를 받으면.. 헐ㅠㅠ
![Page 7: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/7.jpg)
Level 2
….하 그럼 우선 도움이 될만한 것들부터 보자..
헐 안됨.
-> 헐 또안됨
![Page 8: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/8.jpg)
Level 2
근데 게시글 이름이 Password.txt이다..??
그렇다면 Password.txt 라는 파일이 있을 수도..??
이 파일을 받아보자.
아까 문제풀이법입니다. 라는 게시글 에서 파일을다운받을 때, 파일명을 Password.txt로 해서 받으면?
될지도..??
![Page 9: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/9.jpg)
Level 2
ㅡㅡ;; 권한 내려주자.
>
http://webgame.wowhacker.com/levelii/download.php?table_id=free&page=1&no=6&path=Solve.txt
↓
http://webgame.wowhacker.com/levelii/download.php?table_id=free&page=1&no=6&path=Password.txt
![Page 10: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/10.jpg)
Level 2
![Page 11: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/11.jpg)
Level 2
인코딩&암호화
….??
우선 만만한 Base64부터 해보자..
- 당황하지 않고…
![Page 12: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/12.jpg)
Level 2
->
-> -> Password : Where is fckorea?!
![Page 13: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/13.jpg)
Level 2 Clear!!
Auth = Where is fckorea?!
![Page 14: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/14.jpg)
Level 3
![Page 15: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/15.jpg)
Level 3
파일명이.. B72776c5eb0c5a05a718895…???
파일명이 MD5라는 해쉬화로 되어있다..
![Page 16: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/16.jpg)
Level 3
• 파일명이 뭔지도 모르고.. 뭔지도 모르는데해쉬화가 되어있으므로.. 파일을 받긴 힘듬
하 그럼 뭘 해보지… 파일들 안에 뭐가 있나.. 파일은 txt나 gif,
jyp( jpg)인 것 같은데.. 스테가노그래피인가.. 그렇게 어려운
문제 일리가 없고.. 몸짱사진은 원본 사진이름이 Hulk인데…
Hulk를 MD5 해쉬화 해봤는데 파일명이랑 또 다르고..힌트파일
은 웹브라우저에서 그냥 열리던데.. 모르겠다 ㅠㅠ
![Page 17: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/17.jpg)
Level 3
-아…뭐지
![Page 18: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/18.jpg)
Level 3
• http://webgame.wowhacker.com/weblevel3/down/?.85428900
• http://webgame.wowhacker.com/weblevel3/down/779bbf24b15bb7cb0f6b51507f0615f4.65272100
• http://webgame.wowhacker.com/weblevel3/down/b08e7acd151d17cbc5f205edf151d7e7.78252100
• http://webgame.wowhacker.com/weblevel3/down/28d805e190f11ba1da5283d494ee8492.57833500
• http://webgame.wowhacker.com/weblevel3/down/b72776c5eb0c5a05a7188959a49e1f1b.2561620
• 뒤에 붙는 확장자가 작성시간에 나온0.xxxxxxxx이다..??
• 뭔가 시간에 관련된 문제가 아닐까..
![Page 19: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/19.jpg)
Level 3
• 0.xxxxxxxx가 뭔지는 모르겠다.. 하지만확장자로써 붙는 것은 확실하다.
• 그럼 날짜값을 해쉬화하면?
• 그냥 날짜값은 아닌가보다.
• -> 그럼 이걸 유닉스 타임스탬프라는걸로
-> Fail
![Page 20: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/20.jpg)
Level 3
우리나라는 GMT에서 9시간을 더한 시간이므로.. 타임존을 설정할때는 GMT +9로
★해★쉬★화★
fb6e412cf733d6b9cdf777cbcafa35c3
![Page 21: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/21.jpg)
Level 3
779bbf24b15bb7cb0f6b51507f0615f4.65272100
1. 유닉스 타임스탬프로 변경2. MD5 해쉬화.
![Page 22: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/22.jpg)
Level 3
![Page 23: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/23.jpg)
Level 3 Clear!!
Auth = iwantknowmoreMrjones!
![Page 24: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/24.jpg)
Level 4
와… 이건 200% 인젝션일것이다
![Page 25: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/25.jpg)
Level 4
• 일거라 생각했는데..
• WOWSESSIONID? 이상한 쿠키값이 있다.
세션으로 푸는거네 ㅋㅋ
![Page 26: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/26.jpg)
Level 4
• 공지의 두번째글을 보면..
![Page 27: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/27.jpg)
Level 4
• WOWSESSIONID가 다음과 같이 변경됨..• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb4b4cc89a5b89a0084098ecdf724bd24f1
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb4e5f2e558c0b265ca8d580d97fc27a490
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb450c3bf0d8592cdc9db9a3299ea75807f
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb42b574d2ae0a9e2fa015312a9d12fb0ee
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb4b958fad39546115b4ca0c211e16d30d8
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb40b513a7f96e4f537d5dc17b272af2eaa
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb4b7a291eadb24a6cbacf54ffd2af26c2e
• WOWSESSIONID=084e0343a0486ff05530df6c705c8bb41d5e127e59539c49d1d8ded9c8ffc5cc
• 음? 근데 뭔가 이상한 부분이 있다…??
• “084e0343a0486ff05530df6c705c8bb4”
• 가 계속 반복된다.
![Page 28: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/28.jpg)
Level 4
• 084e0343a0486ff05530df6c705c8bb4는
• MD5 해쉬화 되어있는 것 같다.
• 아마 Guest를 MD5 해쉬화 하면 저게 나올것같다… 그래서 해봤더니
• Guest = 084e0343a0486ff05530df6c705c8bb4
![Page 29: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/29.jpg)
Level 4
084e0343a0486ff05530df6c705c8bb49fe21a202dabf6e54288b9ce63035cf9
↓
9fe21a202dabf6e54288b9ce63035cf9 이것이 바로 타임스탬프 해쉬값(?).
↓
2015-01-18 10:02:45에 로그인 했었으니까 이걸 타임스탬프로 바꿔보자.
↓
1421542965
↓
해쉬화
↓
2d06eb215151134880584b80a045e5cb
↓
???ㅋ 틀림 뭐지… 타임스탬프가 아닌가….
![Page 30: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/30.jpg)
Level 4
• 앞에는 계정 명이 들어간다…
• 뒤에 있는걸 알아보자.
• 이전문제도 그랬으니 이것도 타임스탬프를 MD5로 해쉬화했을듯 ㅋ
![Page 31: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/31.jpg)
Level 4
아... 로그인시간이 2015-01-18 10:02:45 는맞는데… 저녁 10시니까 22시 아닌가..??
↓
2015-01-18 22:02:45
↓
9fe21a202dabf6e54288b9ce63035cf9
![Page 32: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/32.jpg)
Level 4
• 앞에것 = 계정명
• 뒤에것 = 타임스탬프
• 그러면.. Admin+시간인 MD5 해쉬값을미리 만든 후 그걸 쿠키에 세팅,
• 로그인을 때리면.. 어드민으로 로그인??
![Page 33: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/33.jpg)
Level 4
우선 컴퓨터 시간이랑 서버시간이랑 다름
![Page 34: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/34.jpg)
Level 4
• 미리 세션 해쉬를 만들어 놓고…
• 세팅을 해놓고… F5를 누르면?!
![Page 35: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/35.jpg)
Level 4
![Page 36: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/36.jpg)
Level 4
![Page 37: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/37.jpg)
Level 4
-아…뭐지
![Page 38: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/38.jpg)
Level 4
<- 얘가 로그아웃을 안함.
그럼 처음에 로그인 했을때가 언제인지 보자.
![Page 39: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/39.jpg)
Level 4
• 근데.. 로그인한지 1초도 안걸려서 저걸쓸리가 없을것같다..
• 그러면 조금 당겨서.. 2008.06.10 09:12:00을 바꾼 후, 해쉬화 하여 Admin을 해쉬화한 값 뒤에 붙여보자.
21232f297a57a5a743894a0e4a801fc367c90cd08d7a3d88f90e63fe768f5a8c
![Page 40: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/40.jpg)
Level 4
![Page 41: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/41.jpg)
Level 4 Clear!!
Auth = VeRY Good! My Friend!
![Page 42: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/42.jpg)
Level 5
와… 이게 진짜 700% 인젝션 문제다…
![Page 43: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/43.jpg)
Level 5
근데 걍 인젝션도 없이 풀음.
![Page 44: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/44.jpg)
Level 5
??????
![Page 45: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/45.jpg)
Level 5
우선…
이 창은 아파치 웹 인증 창이다.
![Page 46: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/46.jpg)
Level 5
그럼 해당 문제의 사이트는 아파치 웹 인증을 하라고 한다.
아파치 웹 인증을 우회하는 방법을 검색.
![Page 47: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/47.jpg)
Level 5
PDF 내용 3줄 요약.
1. HTTP-Request 헤더엔 Method가 있음.
2. Method는 요청의 종류임.
3. 이 Method를 다른걸로 바꾸면 우회가 됨.
![Page 48: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/48.jpg)
Level 5
• 이걸 바꾸려면 Paros 라는 툴로 바꿔야함.
• Paros는 공식적으론 웹 취약점 분석툴임.
• HTTP 프로토콜로 주고받는 정보들을볼 수도 있고, 또 정보수정도 가능함.
![Page 49: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/49.jpg)
Level 5
• ↓이거를
• ↓이렇게
![Page 50: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/50.jpg)
Level 5
• 이렇게하면… GET으로 받아오는게 아니라Apache 내부에서 알 수 없는 오작동을 일으켜 인증을 패스하게 된다.
• 왜 이런지는 검색해도 잘 안나오는듯..
![Page 51: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/51.jpg)
Level 5 Clear!!
Auth = ISayDDaeYouSayMireoyo!
![Page 52: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/52.jpg)
Level 6
![Page 53: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/53.jpg)
Level 6
…???
![Page 54: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/54.jpg)
Level 6
![Page 55: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/55.jpg)
Level 6
![Page 56: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/56.jpg)
Level 6
?????????????????
![Page 57: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/57.jpg)
Level 6
![Page 58: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/58.jpg)
Level 6
• 아마 내 포인트가 타겟 포인트까지 간다면무언가 또 생기거나.. 풀릴듯.
• 내 포인트는
• 이후에 타겟포인트까지간다…
![Page 59: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/59.jpg)
Level 6
난독화부터 풀어보자.
![Page 60: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/60.jpg)
Level 6
1. 다음과 같이 익숙해 보이는 URL인코딩을풀어준다. 풀어나온 내용을 정리하면.
![Page 61: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/61.jpg)
Level 6
2. dF라는 함수가 난독화를 푸는 루틴을가지는데, 이걸 통해 나온 결과값을 보면
또 앞쪽은 익숙한 URL인코딩이 되어있다. 이걸 풀어서 정리하면
![Page 62: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/62.jpg)
Level 6
3. 음? dF라는 함수가 똑같이 생겼다.
이미 dF라는 함수를 이전에 한번 거친 후
나온 내용이므로 딱히 없어도 된다.
이전함수, 불필요한 내용 등을 정리해보자.
![Page 63: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/63.jpg)
Level 6
4. 그럼 이제 dF의 결과값을 보자.
![Page 64: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/64.jpg)
Level 6
5. HTML 소스가 떴다. 이걸 잘 보면
이런게 있다. 이 단어들의 조합을 알기위해게임을 이겼을 때 발생하는 이벤트를 본다.
->IdontLikeCrazyCow!
http://webgame.wowhacker.com/AnTsGam3/wOwLevel6.php?msg=IdontLikeCrazyCow!
![Page 65: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/65.jpg)
Level 6 Clear!!
Auth = IhateCrazyCow.too!
![Page 66: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/66.jpg)
Level 7
와 진짜 인젝션 문제다 URL부터 다르다
![Page 67: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/67.jpg)
Level 7
가보니까 또 이런게 뜬다 (…)
![Page 68: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/68.jpg)
Level 7
• 우선 Guest/Guest로 로그인 해본다.
• ㅎㅇ….
![Page 69: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/69.jpg)
Level 7
Admin으로 접속을 해보면뭔가 나올 것 같다.
따라서 Paros로 처음부터 까보자.
![Page 70: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/70.jpg)
Level 7
![Page 71: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/71.jpg)
Level 7
• 음? Authorization 이라는 변수가 있다?!
• 근데 값이 이상하지만 뒤에 “=“이 붙으면대부분 Base64이니까 저걸 풀어보면?!
![Page 72: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/72.jpg)
Level 7
• “Z3Vlc3Q6Z3Vlc3Q=“ -> guest:guest
• Admin:admin -> “YWRtaW46YWRtaW4=“
![Page 73: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/73.jpg)
Level 7
![Page 74: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/74.jpg)
Level 7
• GET을 OPTIONS로 바꿔서 시도.
![Page 75: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/75.jpg)
Level 7
• 근데… Admin이 되었는데도 Guest랑 다를바가 없다.
• 아무것도 못함;;
호구 어드민;;
![Page 76: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/76.jpg)
Level 7
• 그러면 로그인할 때 공격을 해보자…
• 메소드를 OPTIONS로 주고, 인젝션 코드를Base64로 인코딩을 한다음 Authorization에 삽입해보자.
• 포맷은 아이디:비밀번호 인것같고, DB가에러를 내게끔 “admin’:”라고 해보면..
![Page 77: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/77.jpg)
Level 7
이 때 해볼만한건
1. Blind SQL injection
2. Union Based SQL Injection
블라인드로 하면… 시간이 너무 많이걸린다.사실 스크립트 짜기 귀찮다.
따라서 Union Based SQL Injection을 해본다.
![Page 78: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/78.jpg)
Level 7
• Union Based SQL Injection
• Union이라는 명령을 통하여 다른 테이블에 있는 값의 정보를 가져올 수 있다.
• 대부분 게시판을 볼 때 URL에 있는페이지넘버 같은 곳에 공격함..
![Page 79: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/79.jpg)
Level 7
Union???
![Page 80: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/80.jpg)
Level 7
두 개 이상의 쿼리결과값을하나로 합쳐 보여주는 것.
![Page 81: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/81.jpg)
Level 7
A =>
B =>
Select * from A Union Select * from B 이면
Name Kwon Azir Azir Kwon
Review Perfect Gooooood
Name Kim Akali Akali Kim
Review Good Not Bad
Name Review
Kim Akali Good
Kwon Azir Perfect
Akali Kim Not Bad
Azir Kwon Gooooood
![Page 82: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/82.jpg)
Level 7
이 Union을 통하여 다른 테이블의 값을가져올 수 있음.
하지만 다른 테이블의 이름을 알아야 함…
![Page 83: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/83.jpg)
Level 7
• Information_schema라는 DB안에는 Tables라는 테이블이 있다.
• 이 테이블 안에 DB 안에 있는 모든 테이블의 이름이나, 속성 등이 존재함.
>
![Page 84: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/84.jpg)
Level 7
회원정보가 있는 테이블의
총 컬럼 개수를 알아내자.
![Page 85: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/85.jpg)
Level 7
• Order By n을 이용하면첫 번째 컬럼, 두 번째 컬럼, 세 번째 ……식으로 정렬이 가능.
• 근데 만일 n번째가 존재하지 않는 컬럼이라면 에러를 뱉을것이고… 그럼 n-1개가존재한다는 정보를 알아낼 수 있다.
![Page 86: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/86.jpg)
Level 7
admin' order by 1 ~ n #:a을 base64로에러가 날 때 까지 시도.
…
7이 되니까 에러가 뜸. 7-1 =6 총 6개의 컬럼.
![Page 87: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/87.jpg)
Level 7
1. Union을 통해서.. Information_schema.tables의table_name에 있는 값들을 알아낼 것.
2. 키값이 있을법한, 혹은 키값이 있을법한 곳에 대한힌트가 존재하는 테이블을 알아낼 것.
3. Union을 통하여 해당 테이블 안에 있는 값들을 볼 것.
![Page 88: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/88.jpg)
Level 7
• 공격코드에 들어가야할 내용은…
1. 우선 하나의 값만 뽑아야 하므로 limit n,1
2. Union, Select
3. Table_name
![Page 89: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/89.jpg)
Level 7
• 그러면… 공격코드를 작성해보면admin’ union select table_name,2,3,4,5,6 from information_schema.tables limit 0,1#
• 1번째 컬럼에는 이름이 나오는데, 여기엔table_name에 있는 값이 나오게 하고싶다.
• 근데 저상태로하면 admin이 나오므로이상한 값으로 바꿔준다.
Azir' union select table_name,2,3,4,5,6 from information_schema.tables limit 0,1 #:a
![Page 90: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/90.jpg)
Level 7
Azir' union select table_name,2,3,4,5,6
└>이상한 값
from information_schema.tables limit 0,1
ㄴ> 테이블 정보가 있는 곳
#:a
ㄴ> 주석과, 비밀번호에 들어갈 값.
ㄴ> 첫번째열은 Table_name두번째열은 2번째열…
ㄴ> 한 개만..
![Page 91: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/91.jpg)
Level 7
• 쭉 이런 식으로 다 훑어보다가..
• 18번째와 19번째가 독특한(?) 이름.
• Limit 17,1 -> keytable
• Limit 18,1 -> user_info
![Page 92: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/92.jpg)
Level 7
이제 흥미를 이끌(?) 테이블을 찾았으니테이블 안에 있는 컬럼명이 뭔지 찾아서
해당 컬럼명과 일치하는 값을 가져오자.
![Page 93: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/93.jpg)
Level 7
• 모든 DB에 있는 컬럼명은 information_schemaDB의 columns라는 테이블 안에 존재한다.
• 그 안의 내용에는 테이블명과컬럼명, 속성 등등..이 존재함.
• 생긴모습>>>>>>>>>>>>>
![Page 94: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/94.jpg)
Level 7
Azir' union select column_name,3,2,4,5,6 from information_schema.columns where tablename='keytable' limit 0,1 #:a
• 대략 이렇게 생김.
• Limit 0,1 -> no
• Limit 1,1 -> value
• 그럼 Value 값을 알아내면 될것같다.
Azir' union select value,3,2,4,5,6 from keytable #:a
![Page 95: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/95.jpg)
Level 7
그냥 키값인가보다… 하고 인증.
성공
![Page 96: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/96.jpg)
Level 7 Clear!!
Auth = if you dream it, you can do it
![Page 97: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/97.jpg)
후기
• Level 1 -> 컵라면이 익기전에 풀었다.
• Level 2 -> 롤 픽창 ~ 게임 직전에 풀음.
• Level 3 -> 슬슬 난이도 올라가는게 보임.
• Level 4 -> 삽질을 약간 한것같다.
• Level 5 -> 사실 이전에 알고있던 취약점;
• Level 6 -> Level 4보다 쉬웠던 것 같다.
• Level 7 -> 인젝션 공부하는데 유익했다.
![Page 98: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/98.jpg)
QnA
![Page 99: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/99.jpg)
감사합니다.
![Page 100: Wow hacker Level7 WriteUp](https://reader034.vdocuments.mx/reader034/viewer/2022042818/55adc2631a28ab11548b473d/html5/thumbnails/100.jpg)
★PPT 100장★