๐ old-06 ์๊ฒ์ ๋ฌธ์ ํ์ด
1. ๋ฌธ์ ํ๋ฉด์ผ๋ก ๋ค์ด๊ฐ view-source ํด๋ฆญ
2. ์ฝ๋ ๋ถ์๊ณผ ํจ๊ป ๋ฌธ์ ํ์ด ์กฐ๊ฑด ํ์
<?php
// ํ์ํ ์ค์ ํ์ผ ํฌํจ
include "../../config.php";
// URL ๋งค๊ฐ๋ณ์๋ก view_source๊ฐ ์ ๋ฌ๋๋ฉด view_source ํจ์ ํธ์ถ
if ($_GET['view_source']) view_source();
// ์ฟ ํค 'user'๊ฐ ์์ ๊ฒฝ์ฐ (๋ก๊ทธ์ธ๋์ง ์์ ๊ฒฝ์ฐ)
if (!$_COOKIE['user']) {
// ์ด๊ธฐ ID์ ๋น๋ฐ๋ฒํธ ์ค์
$val_id = "guest";
$val_pw = "123qwe";
// ID์ ๋น๋ฐ๋ฒํธ๋ฅผ 20ํ์ฉ base64 ์ธ์ฝ๋ฉ
for ($i = 0; $i < 20; $i++) {
$val_id = base64_encode($val_id);
$val_pw = base64_encode($val_pw);
}
// ํน์ ๋ฌธ์๋ฅผ ๋ค๋ฅธ ๋ฌธ์๋ก ๊ต์ฒด
$val_id = str_replace("1", "!", $val_id);
$val_id = str_replace("2", "@", $val_id);
$val_id = str_replace("3", "$", $val_id);
$val_id = str_replace("4", "^", $val_id);
$val_id = str_replace("5", "&", $val_id);
$val_id = str_replace("6", "*", $val_id);
$val_id = str_replace("7", "(", $val_id);
$val_id = str_replace("8", ")", $val_id);
$val_pw = str_replace("1", "!", $val_pw);
$val_pw = str_replace("2", "@", $val_pw);
$val_pw = str_replace("3", "$", $val_pw);
$val_pw = str_replace("4", "^", $val_pw);
$val_pw = str_replace("5", "&", $val_pw);
$val_pw = str_replace("6", "*", $val_pw);
$val_pw = str_replace("7", "(", $val_pw);
$val_pw = str_replace("8", ")", $val_pw);
// ์ฟ ํค 'user'์ 'password' ์ค์ . ์ ํจ๊ธฐ๊ฐ์ 86400์ด(ํ๋ฃจ)๋ก ์ค์
Setcookie("user", $val_id, time() + 86400, "/challenge/web-06/");
Setcookie("password", $val_pw, time() + 86400, "/challenge/web-06/");
// ํ์ด์ง ์๋ก๊ณ ์นจ
echo("<meta http-equiv=refresh content=0>");
exit;
}
?>
<html>
<head>
<title>Challenge 6</title>
<style type="text/css">
body { background:black; color:white; font-size:10pt; }
</style>
</head>
<body>
<?php
// ์ฟ ํค 'user'์ 'password' ๊ฐ์ ๊ฐ์ ธ์์ ๋์ฝ๋ฉ
$decode_id = $_COOKIE['user'];
$decode_pw = $_COOKIE['password'];
// ํน์ ๋ฌธ์๋ฅผ ์๋ ๋ฌธ์๋ก ๊ต์ฒด
$decode_id = str_replace("!", "1", $decode_id);
$decode_id = str_replace("@", "2", $decode_id);
$decode_id = str_replace("$", "3", $decode_id);
$decode_id = str_replace("^", "4", $decode_id);
$decode_id = str_replace("&", "5", $decode_id);
$decode_id = str_replace("*", "6", $decode_id);
$decode_id = str_replace("(", "7", $decode_id);
$decode_id = str_replace(")", "8", $decode_id);
$decode_pw = str_replace("!", "1", $decode_pw);
$decode_pw = str_replace("@", "2", $decode_pw);
$decode_pw = str_replace("$", "3", $decode_pw);
$decode_pw = str_replace("^", "4", $decode_pw);
$decode_pw = str_replace("&", "5", $decode_pw);
$decode_pw = str_replace("*", "6", $decode_pw);
$decode_pw = str_replace("(", "7", $decode_pw);
$decode_pw = str_replace(")", "8", $decode_pw);
// ID์ ๋น๋ฐ๋ฒํธ๋ฅผ 20ํ์ฉ base64 ๋์ฝ๋ฉ
for ($i = 0; $i < 20; $i++) {
$decode_id = base64_decode($decode_id);
$decode_pw = base64_decode($decode_pw);
}
// ๋์ฝ๋ฉ๋ ID์ ๋น๋ฐ๋ฒํธ๋ฅผ ์ถ๋ ฅ
echo("<hr><a href=./?view_source=1 style=color:yellow;>view-source</a><br><br>");
echo("ID : $decode_id<br>PW : $decode_pw<hr>");
// ID์ ๋น๋ฐ๋ฒํธ๊ฐ admin๊ณผ nimda์ผ ๊ฒฝ์ฐ solve ํจ์๋ฅผ ํธ์ถํ์ฌ ๋ฌธ์ ํด๊ฒฐ
if ($decode_id == "admin" && $decode_pw == "nimda") {
solve(6);
}
?>
</body>
</html>
++ ID์ ๋น๋ฐ๋ฒํธ๋ฅผ ๊ธฐ์กด ์ฝ๋์ ๋ฐ๋๋ก Encode & Decode ํ์ฌ ์๋์ ๊ฐ์ ๊ตฌํด์ผ ํจ
3. ๋ฌธ์ ํด๊ฒฐ์ ์ํ Python ์คํฌ๋ฆฝํธ ์์ฑ
import base64
# ๋ฌธ์ ์นํ์ ์ญ์ผ๋ก ์ํํ๋ ํจ์ ์ ์
def reverse_replace(s):
s = s.replace("1", "!")
s = s.replace("2", "@")
s = s.replace("3", "$")
s = s.replace("4", "^")
s = s.replace("5", "&")
s = s.replace("6", "*")
s = s.replace("7", "(")
s = s.replace("8", ")")
return s
# ๊ด๋ฆฌ์ ์์ด๋์ ๋น๋ฐ๋ฒํธ๋ฅผ UTF-8 ์ธ์ฝ๋ฉํ์ฌ ๋ฐ์ดํธ๋ก ๋ณํ
id = 'admin'.encode()
pw = 'nimda'.encode()
# ๊ฐ๊ฐ 20๋ฒ์ base64 ์ธ์ฝ๋ฉ ์ ์ฉ
for j in range(20):
pw = base64.b64encode(pw)
id = base64.b64encode(id)
# ๋ฌธ์ ์นํ์ ์ญ์ผ๋ก ์ํํ์ฌ ์๋์ ๊ฐ ๋์ถ
id = reverse_replace(id.decode())
pw = reverse_replace(pw.decode())
# ๊ฒฐ๊ณผ ์ถ๋ ฅ
print("Decoded ID:", id)
print("\n\n")
print("Decoded Password:", pw)
4. ์์ฑํ Python ์คํฌ๋ฆฝํธ๋ฅผ Google Colab์์ ์คํ
# Decoded ID
: Vm0wd@QyUXlVWGxWV0d^V!YwZDRWMVl$WkRSV0!WbDNXa!JTVjAxV@JETlhhMUpUVmpBeFYySkVUbGhoTVVwVVZtcEJlRll&U@tWVWJHaG9UVlZ$VlZadGNFSmxSbGw!VTJ0V!ZXSkhhRzlVVmxaM!ZsWmFjVkZ0UmxSTmJFcEpWbTEwYTFkSFNrZGpSVGxhVmpOU!IxcFZXbUZrUjA!R!UyMTRVMkpIZHpGV!ZFb$dWakZhV0ZOcmFHaFNlbXhXVm!wT!QwMHhjRlpYYlVaclVqQTFSMWRyV@&kV0!ERkZVbFJHVjFaRmIzZFdha!poVjBaT@NtRkhhRk&sYlhoWFZtMXdUMVF$TUhoalJscFlZbGhTV0ZSV@FFTlNiRnBZWlVaT!ZXSlZXVEpWYkZKRFZqQXhkVlZ!V@xaaGExcFlXa!ZhVDJOc@NFZGhSMnhUVFcxb@IxWXhaREJaVmxsM!RVaG9hbEpzY0ZsWmJGWmhZMnhXY!ZGVVJsTk&WMUo!VmpKNFQxWlhTbFpYVkVwV!lrWktTRlpxUm!GU@JVbDZXa!prYUdFeGNHOVdha0poVkRKT@RGSnJhR@hTYXpWeldXeG9iMWRHV@&STldHUlZUVlpHTTFSVmFHOWhiRXB*WTBac!dtSkdXbWhaTVZwaFpFZFNTRkpyTlZOaVJtOTNWMnhXWVZReFdsaFRiRnBZVmtWd!YxbHJXa$RUUmxweFVtMUdVMkpWYkRaWGExcHJZVWRGZUdOSE9WZGhhMHBvVmtSS!QyUkdTbkpoUjJoVFlYcFdlbGRYZUc&aU!XUkhWMjVTVGxOSGFGQlZiVEUwVmpGU!ZtRkhPVmhTTUhCNVZHeGFjMWR0U@tkWGJXaGFUVzVvV0ZreFdrZFdWa$B*VkdzMVYySkdhM@hXYTFwaFZURlZlRmR!U@s!WFJYQnhWVzB^YjFZeFVsaE9WazVPVFZad@VGVXlkREJXTVZweVkwWndXR0V^Y0ROV@FrWkxWakpPU!dKR!pGZFNWWEJ@Vm!0U!MxUXlUWGxVYTFwb!VqTkNWRmxZY0ZkWFZscFlZMFU!YVUxcmJEUldNalZUVkd^a!NGVnNXbFZXYkhCWVZHdGFWbVZIUmtoUFYyaHBVbGhDTmxkVVFtRmpNV!IwVTJ0a!dHSlhhR0ZVVnpWdlYwWnJlRmRyWkZkV@EzQjZWa@R*TVZZd0!WWmlla!pYWWxoQ!RGUnJXbEpsUm!SellVWlNhVkp!UW&oV!YzaHJWVEZzVjFWc!dsaGlWVnBQVkZaYWQyVkdWWGxrUkVKWFRWWndlVmt$V@&kWFIwVjRZMFJPV@!FeVVrZGFWM@hIWTIxS!IxcEhiRmhTVlhCS!ZtMTBVMU!^VlhoWFdHaFlZbXhhVjFsc!pHOVdSbXhaWTBaa@JHSkhVbGxhVldNMVlWVXhXRlZyYUZkTmFsWlVWa@Q0YTFOR!ZuTlhiRlpYWWtoQ!NWWkdVa@RWTVZwMFVtdG9VRll&YUhCVmJHaERUbXhrVlZGdFJtcE&WMUl$VlRKMGExZEhTbGhoUjBaVlZucFdkbFl$V@&OT@JFcHpXa@R$YVZORlNrbFdNblJyWXpGVmVWTnVTbFJpVlZwWVZGYzFiMWRHWkZkWGJFcHNVbTFTZWxsVldsTmhWa$AxVVd^d!YySllVbGhhUkVaYVpVZEtTVk&zYUdoTk!VcFZWbGN^TkdReVZrZFdiR!JvVW&wc@IxUldXbmRsYkZsNVkwVmtWMDFFUmpGWlZXaExWMnhhV0ZWclpHRldNMmhJV!RJeFMxSXhjRWhpUm!oVFZsaENTMVp0TVRCVk!VMTRWbGhvV0ZkSGFGbFpiWGhoVm!^c@NscEhPV$BTYkhCNFZrY$dOVll^V@&OalJXaFlWa!UxZGxsV!ZYaFhSbFp&WVVaa!RtRnNXbFZXYTJRMFdWWktjMVJ!VG!oU@JGcFlXV$hhUm!ReFduRlJiVVphVm0xU!NWWlhkRzloTVVwMFlVWlNWVlpXY0dGVVZscGhZekZ$UlZWdGNFNVdNVWwzVmxSS0!HRXhaRWhUYkdob!VqQmFWbFp0ZUhkTk!WcHlWMjFHYWxacmNEQmFSV!F$VmpKS@NsTnJhRmRTTTJob!ZrUktSMVl^VG&WVmJFSlhVbFJXV!ZaR!l*RmlNV!JIWWtaV!VsZEhhRlJVVm!SVFpXeHNWbGRzVG!oU!ZFWjZWVEkxYjFZeFdYcFZiR@hZVm!^d!lWcFZXbXRrVmtwelZtMXNWMUl*YURWV0!XUXdXVmRSZVZaclpGZGliRXB&Vld0V!MySXhiRmxqUldSc!ZteEtlbFp0TURWWFIwcEhZMFpvV@sxSGFFeFdNbmhoVjBaV@NscEhSbGROTW!oSlYxUkplRk!^U!hoalJXUmhVbXMxV0ZZd!ZrdE&iRnAwWTBWa!dsWXdWalJXYkdodlYwWmtTR0ZHV@xwaVdHaG9WbTE0YzJOc!pISmtSM0JUWWtad0&GWlhNVEJOUmxsNFYyNU9hbEpYYUZoV@FrNVRWRVpzVlZGWWFGTldhM0I@VmtkNFlWVXlTa!pYV0hCWFZsWndSMVF^V@tOVmJFSlZUVVF$UFE9PQ==
# Decoded Password
: Vm0wd@QyUXlVWGxWV0d^V!YwZDRWMVl$WkRSV0!WbDNXa!JTVjAxV@JETlhhMUpUVmpBeFYySkVUbGhoTVVwVVZtcEJlRll&U@tWVWJHaG9UVlZ$VlZacVFtRlRNbEpJVm!0a!dHSkdjRTlaVjNSR!pVWmFkR0&GU@!^U@JHdzFWVEowVjFaWFNraGhSemxWVmpOT00xcFZXbUZrUjA!R!drWndWMDFFUlRGV!ZFb$dWakZhV0ZOcmFHaFNlbXhXVm0xNFlVMHhXbk&YYlVaclVqQTFSMWRyV@xOVWJVcEdZMFZ$VjJKVVJYZFdha!pYWkVaT@MxZHNhR@xTTW!oWlYxZDRiMkl&Vm&OVmJGWlRZbFZhY@xWcVFURlNNVlY!VFZSU!ZrMXJjRWxhU0hCSFZqRmFSbUl*WkZkaGExcG9WakJhVDJOdFJraGhSazVzWWxob!dGWnRNSGhPUm!^V!RVaG9XR0pyTlZsWmJGWmhZMVphZEdSSFJrNVNiRm9$V@xWYVQxWlhTbFpqUldSYVRVWmFNMVpxU@t0V!ZrcFpXa!p$VjFKV@NIbFdWRUpoVkRKT@MyTkZhR$BTYXpWWVZXcE9iMkl^V@&STldHUlZUVlpXTkZVeGFHOWhiRXB*WTBac!dtSkdXbWhaTW&oWFkxWkdWVkpzVGs!WFJVcElWbXBLTkZReFdsaFRhMlJxVW0xNGFGVXdhRU&UUmxweFVtMUdVMkpWYkRaWGExcHJZVWRGZUdOSE9WZGhhMHBvVmtSS!QyUkdTbkpoUjJoVFlYcFdlbGRYZUc&aU!XUkhWMjVTVGxOSGFGQlZiVEUwVmpGU!ZtRkhPVmhTTUhCNVZHeGFjMWR0U@tkWGJXaGFUVzVvV0ZreFdrZFdWa$B*VkdzMVYySkdhM@hXYTFwaFZURlZlRmR!U@s!WFJYQnhWVzB^YjFZeFVsaE9WazVPVFZad@VGVXlkREJXTVZweVkwWndXR0V^Y0ROV@FrWkxWakpPU!dKR!pGZFNWWEJ@Vm!0U!MxUXlUWGxVYTFwb!VqTkNWRmxZY0ZkWFZscFlZMFU!YVUxcmJEUldNV@h@V!ZaS!IxTnNaRlZXYkZwNlZHeGFZVmRGTlZaUFZtaFRUVWhDU@xac!pEUmpNV!IwVTJ0b@FGSnNTbGhVVlZwM!ZrWmFjVk&yWkZOaVJrcDZWa@N^YzFVeVNuSlRiVVpYVFc!b!dGbHFTa!psUm!SWldrVTFWMVpzY0ZWWFZsSkhaREZaZUdKSVNsaGhNMUpVVlcxNGQyVkdWbGRoUnpsb!RWWndlbFl&Y0VkV0!ERjFZVWhLV@xaWFVrZGFWM@hIWTIxS!IyRkdhRlJTVlhCS!ZtMTBVMU!^VlhoWFdHaFlZbXhhVjFsc!pHOVdSbXhaWTBaa@JHSkhVbGxhVldNMVlWVXhXRlZyYUZkTmFsWlVWa@Q0YTFOR!ZuTlhiRlpYWWtoQ!NWWkdVa@RWTVZwMFVtdG9VRll&YUhCVmJHaERUbXhrVlZGdFJtcE&WMUl$VlRKMGExZEhTbGhoUjBaVlZucFdkbFl$V@&KbFJtUnlXa!prVjJFelFqWldhMlI@VFZaWmQwMVdXbWxsYTFwWVdXeG9RMVJHVW&KWGJFcHNVbTFTZWxsVldsTmhWa$AxVVd^d!YySllVbGhhUkVaYVpVZEtTVk&zYUdoTk!VcFdWbGN^TkdReVZrZFdXR$hyVWpCYWNGVnRlSGRsYkZsNVpVaGtXRkl$VmpSWk!GSlBWMjFGZVZWclpHRldNMmhJV!RJeFMxSXhjRWhpUm!oVFZsaENTMVp0TVRCVk!VMTRWbGhvV0ZkSGFGbFpiWGhoVm!^c@NscEhPV$BTYkhCNFZrY$dOVll^V@&OalJXaFlWa!UxZGxsV!ZYaFhSbFp&WVVaa!RtRnNXbFZXYTJRMFdWWktjMVJ!VG!oU@JGcFlXV$hhUm!ReFduRlJiVVphVm0xU!NWWlhkRzloTVVwMFlVWlNWVlpXY0dGVVZscGhZekZ$UlZWdGNFNVdNVWwzVmxSS0!HRXhaRWhUYkdob!VqQmFWbFp0ZUhkTk!WcHlWMjFHYWxacmNEQmFSV!F$VmpKS@NsTnJhRmRTTTJob!ZrUktSMVl^VG&WVmJFSlhVbFJXV!ZaR!l*RmlNV!JIWWtaV!VsZEhhRlJVVm!SVFpXeHNWbGRzVG!oU!ZFWjZWVEkxYjFZeFdYcFZiR@hZVm!^d!lWcFZXbXRrVmtwelZtMXNWMUl*YURWV0!XUXdXVmRSZVZaclpGZGliRXB&Vld0V!MySXhiRmxqUldSc!ZteEtlbFp0TURWWFIwcEhZMFpvV@sxSGFFeFdNbmhoVjBaV@NscEhSbGROTW!oSlYxUkplRk!^U!hoalJXUmhVbXMxV0ZZd!ZrdE&iRnAwWTBWa!dsWXdWalJXYkdodlYwWmtTR0ZHV@xwaVdHaG9WbTE0YzJOc!pISmtSM0JUWWtad0&GWlhNVEJOUmxsNFYyNU9hbEpYYUZoV@FrNVRWRVpzVlZGWWFGTldhM0I@VmtkNFlWVXlTa!pYV0hCWFZsWndSMVF^V@tOVmJFSlZUVVF$UFE9PQ==
5. ๋ค์ ๋ฌธ์ ํ๋ฉด์ผ๋ก ๋์์ F12 ํด๋ฆญ --> ๊ฐ๋ฐ์ ๋๊ตฌ Open
6. Application ํญ ํด๋ฆญ ํ Cookies ๋ก ์ด๋ --> https://webhacking.kr ํด๋ฆญ
7. user ์ password์ ์ฟ ํค๊ฐ์ ์ผ์ ์ ์ป์ ๊ฐ์ผ๋ก ๋ณ๊ฒฝ
8. ๊ฐ ๋ณ๊ฒฝ ํ ํ์ด์ง ์๋ก๊ณ ์นจ --> ๋ฌธ์ ํด๊ฒฐ ์ฑ๊ณต
