๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ

โœ’๏ธ Web Hacking/Dreamhack41

[Dreamhack] Simple SQLI ChatGPT ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด ๐Ÿˆ‍โฌ› Simple SQLI ChatGPT ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ์— ๋Œ€ํ•œ ์„ค๋ช…์„ ์ฝ์€ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ 2. ๋‹ค์šด๋ฐ›์€ app.py ํŒŒ์ผ ์˜คํ”ˆ ํ›„ ์ฝ”๋“œ ๋ถ„์„ #!/usr/bin/python3 from flask import Flask, request, render_template, g import sqlite3 import os import binascii app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open('./flag.txt', 'r').read() except: FLAG = '[**FLAG**]' DATABASE = "database.db" if os.path.exists(DATABASE) == False: .. 2023. 8. 11.
[Dreamhack] XSS Filtering Bypass ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด โš”๏ธ XSS Filtering Bypass ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ์— ๋Œ€ํ•œ ์„ค๋ช…์„ ์ฝ์€ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ 2. ๋‹ค์šด๋ฐ›์€ app.py ํŒŒ์ผ ์˜คํ”ˆ ํ›„ ์ฝ”๋“œ ๋ถ„์„ #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver import urllib import os A) ํ•„์š”ํ•œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ imoport ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์„ค๋ช… Flask ์›น ํ”„๋ ˆ์ž„์›Œํฌ Request HTTP ์š”์ฒญ ์ฒ˜๋ฆฌ ๊ด€๋ จ ๊ธฐ๋Šฅ Render_template HTML ํ…œํ”Œ๋ฆฟ ๋ Œ๋”๋ง Selenium ์›น ๋ธŒ๋ผ์šฐ์ € ์ž๋™ํ™” ๋„๊ตฌ Urllib URL ์ธ์ฝ”๋”ฉ ๊ธฐ๋Šฅ OS ์šด์˜์ฒด์ œ์™€์˜ ์ƒํ˜ธ์ž‘์šฉ ๊ธฐ๋Šฅ app = Flask(__name__.. 2023. 8. 10.
[Dreamhack] sql injection bypass WAF ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด # sql injection bypass WAF ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ ํ™•์ธ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ 2. ๋ฌธ์ œ ํŒŒ์ผ ์˜คํ”ˆ ํ›„ ์ฝ”๋“œ ํ™•์ธ + > : uid ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์ด์šฉํ•ด ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ๊ฐ’์„ ์ž…๋ ฅ๋ฐ›์Œ + > : ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์„ check_WAF ํ•จ์ˆ˜์˜ ์ธ์ž๋กœ ์ „๋‹ฌํ•œ ํ›„ ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์ด ํŠน์ • ํ‚ค์›Œ๋“œ๋ฅผ ํฌํ•จํ•˜๋Š”์ง€ ์—ฌ๋ถ€ ์กฐ์‚ฌ : ํ‚ค์›Œ๋“œ ๊ฒ€์‚ฌ ํ›„ ์ฟผ๋ฆฌ์— ์ž…๋ ฅ๊ฐ’ ์‚ฝ์ž… --> SQL Injection ์ทจ์•ฝ์  ๋ฐœ์ƒ + > : user ํ…Œ์ด๋ธ”์ด users ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์กด์žฌ --> ํ…Œ์ด๋ธ” ๋‚ด๋ถ€์— idx, upw, uid ์นผ๋Ÿผ์ด ์กด์žฌํ•จ + > : admin, guest, test, dream ๋“ฑ์˜ ๊ณ„์ •์ด ์กด์žฌํ•จ 3. ์ ‘์† ๋งํฌ ํ™•์ธ ํ›„ ์•ˆ๋‚ด๋œ ๋งํฌ๋กœ ์ ‘์† 4. ์‚ฌ์šฉ์ž ์ž…๋ ฅ๋ž€์— hello ์ž…๋ ฅ ํ›„ submit.. 2022. 11. 24.
[Dreamhack] error based sql injection ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด # error based sql injection ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ ํ™•์ธ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ 2. ๋ฌธ์ œ ํŒŒ์ผ ์˜คํ”ˆ ํ›„ ์ฝ”๋“œ ํ™•์ธ + > : admin, guest, test์˜ ํŒจ์Šค์›Œ๋“œ๋Š” ๊ฐ๊ฐ Flag, guest, test์ž„ 3. ์ ‘์† ๋งํฌ ํ™•์ธ ํ›„ ์•ˆ๋‚ด๋œ ๋งํฌ๋กœ ์ ‘์† 4. ๋นˆ์นธ์— cat ์ž…๋ ฅ ํ›„ submit ๋ฒ„ํŠผ ํด๋ฆญ + ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์ด ๊ทธ๋Œ€๋กœ WHERE๋ฌธ์— ๋“ค์–ด๊ฐ์„ ํ™•์ธ 5. ์ž…๋ ฅ๋ž€์— admin 1' ์ž…๋ ฅ ํ›„ submit ๋ฒ„ํŠผ ํด๋ฆญ + ์›น ํŽ˜์ด์ง€์˜ ์‘๋‹ต์„ ํ†ตํ•ด ํ•ด๋‹น ์›น์‚ฌ์ดํŠธ๊ฐ€ SQL Injection ๊ณต๊ฒฉ์— ์ทจ์•ฝํ•จ์„ ํ™•์ธ 6. SQL Injection ๊ณต๊ฒฉ์„ ์œ„ํ•œ ์ฟผ๋ฆฌ๋ฌธ ์ž‘์„ฑ ํ›„ ์‹คํ–‰ 7. Flag์˜ ๋‚˜๋จธ์ง€ ๋ถ€๋ถ„์„ ์ถœ๋ ฅํ•˜๊ธฐ ์œ„ํ•œ ์ฟผ๋ฆฌ๋ฌธ ์ž‘์„ฑ 8. Flag ์กฐ๊ฐ๋“ค์„ ํ•ฉ์ณ์ฃผ๋ฉด ์ •๋‹ต.. 2022. 11. 22.
[Dreamhack] Blind SQL Injection Advanced ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 7 - 1 - 1. Blind SQL Injection Advanced ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด # Blind SQL Injection Advanced ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ ํ™•์ธ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ 2. ๋ฌธ์ œ ํŒŒ์ผ ์˜คํ”ˆ ํ›„ ์ฝ”๋“œ ๋ถ„์„ + > : ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค user_db๋ฅผ utf-8์˜ ์–ธ์–ด ์…‹์œผ๋กœ ์ƒ์„ฑํ•˜๋Š” ์ฝ”๋“œ + > : upw, uid ์ปฌ๋Ÿผ์„ ๊ฐ€์ง€๋Š” users ํ…Œ์ด๋ธ” ์ƒ์„ฑ --> guest, admin, test ๊ณ„์ •์˜ ํŒจ์Šค์›Œ๋“œ๋Š” ๊ฐ๊ฐ guest, Flag, test + > : ๊ตฌํ˜„๋œ ์›น ์„œ๋ฒ„๋Š” flask, mysql์„ ์ด์šฉํ•˜์—ฌ ๋™์ž‘ + > : row์˜ ๊ฐœ์ˆ˜๋ฅผ 1๊ฐœ๋กœ ์ œํ•œํ•˜์—ฌ ์กฐ๊ฑด์„ ๋งŒ์กฑํ•˜๋Š” ๊ฒฝ์šฐ ๊ฒฐ๊ณผ๊ฐ’ ์ถœ๋ ฅ + > : GET ๋ฉ”์†Œ๋“œ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ / ๊ฒฝ๋กœ์— uid ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ํ†ตํ•ด ์‚ฌ์šฉ์ž.. 2022. 11. 17.
[Dreamhack] funjs ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 7 - 0 - 2. funjs ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด # funjs ๋“œ๋ฆผํ•ต ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด 1. ๋ฌธ์ œ ์ •๋ณด ํ™•์ธ ํ›„ ๋ฌธ์ œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ 2. index.html ํŽ˜์ด์ง€๋กœ ์ ‘์† ํ›„ ์ž…๋ ฅ๋ž€์— hello ์ž…๋ ฅ + ์œ„ ํ˜•์‹์ด ๋นˆ ํŽ˜์ด์ง€ ๋‚ด์—์„œ ์œ„์น˜๋ฅผ ๋ฐ”๊ฟ”๊ฐ€๋ฉฐ ์ถœ๋ ฅ๋จ์„ ํ™•์ธ + ์ž˜๋ชป๋œ ๊ฐ’์„ ์ž…๋ ฅํ•˜๋ฉด 'NOP!'์ด ์ถœ๋ ฅ๋จ 3. F12 ๋‹จ์ถ•ํ‚ค๋ฅผ ํ†ตํ•ด ๊ฐœ๋ฐœ์ž ๋„๊ตฌ ์˜คํ”ˆ ํ›„ ์ฝ”๋“œ ๋ถ„์„ + > : _0x374fd6(0x17c) (=length)์˜ ๊ฐ’์ด 0x24( = 10์ง„์ˆ˜ ํ‘œ๊ธฐ๋กœ๋Š” 36 )์ด ์•„๋‹ ๊ฒฝ์šฐ --> ํ•จ์ˆ˜ ๋ฆฌํ„ด + > : ์ž‘์„ฑ๋œ for๋ฌธ์€ 0 ~ Flag์˜ ์ „์ฒด ๊ธธ์ด -1 ๊นŒ์ง€ ๋ฐ˜๋ณต + > : 'input ๋ฌธ์ž์—ด์˜ index๊ฐ’ = operator ๊ฐ’'์ธ ๊ฒฝ์šฐ์— 'NOP!'(=_0x374fd6(0x185)) .. 2022. 11. 15.

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”