๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๋ฐ˜์‘ํ˜•

[Dreamhack]WebHacking32

[Dreamhack] Level2: Dream Gallery ๐Ÿ›Ž๏ธ Access ๋“œ๋ฆผ์ด๋Š” ๊ฐค๋Ÿฌ๋ฆฌ ์‚ฌ์ดํŠธ๋ฅผ ๊ตฌ์ถ•ํ–ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋Ÿฐ๋ฐ ์™ธ๋ถ€๋กœ ์š”์ฒญํ•˜๋Š” ๊ธฐ๋Šฅ์ด ์•ˆ์ „ํ•œ ๊ฑด์ง€ ๋ชจ๋ฅด๊ฒ ๋‹ค๊ณ  ํ•˜๋„ค์š”... ๊ฐค๋Ÿฌ๋ฆฌ ์‚ฌ์ดํŠธ์—์„œ ์ทจ์•ฝ์ ์„ ์ฐพ๊ณ  flag๋ฅผ ํš๋“ํ•˜์„ธ์š”! flag๋Š” /flag.txt์— ์žˆ์Šต๋‹ˆ๋‹ค. ๐Ÿ‘พ Exploit Algorithm & Payload > app.py ๋”๋ณด๊ธฐ from flask import Flask, request, render_template, url_for, redirect from urllib.request import urlopen import base64, os app = Flask(__name__) app.secret_key = os.urandom(32) mini_database = [] @app.route('/') def index(): return r.. 2024. 2. 3.
[Dreamhack] Level2: filestorage ๐Ÿ›Ž๏ธ Access ํŒŒ์ผ์„ ๊ด€๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๊ตฌํ˜„์ด ๋œ ๋œ ํ™ˆํŽ˜์ด์ง€์ž…๋‹ˆ๋‹ค. ๐Ÿ‘พ Exploit Algorithm & Payload > app.js ๋”๋ณด๊ธฐ const express=require('express'); const bodyParser=require('body-parser'); const ejs=require('ejs'); const hash=require('crypto-js/sha256'); const fs = require('fs'); const app=express(); var file={}; var read={}; function isObject(obj) { return obj !== null && typeof obj === 'object'; } function setValue(obj, key.. 2024. 2. 2.
[Dreamhack] Level1: Type c-j ๐Ÿ›Ž๏ธ Access php๋กœ ์ž‘์„ฑ๋œ ํŽ˜์ด์ง€์ž…๋‹ˆ๋‹ค. ์•Œ๋งž์€ Id๊ณผ Password๋ฅผ ์ž…๋ ฅํ•˜์—ฌ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ์˜ ํ˜•์‹์€ DH{…} ์ž…๋‹ˆ๋‹ค. ๐Ÿ‘พ Exploit Algorithm & Payload > index.php ๋”๋ณด๊ธฐ Type c-j index page Enter the correct ID & Password. > check.php ๋”๋ณด๊ธฐ Type c-j Index page #1 : '/' ํŽ˜์ด์ง€์—์„œ id์™€ password๋ฅผ ์ž…๋ ฅ ํ›„ ์ œ์ถœํ•˜๋ฉด ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์„ ๊ฒƒ์œผ๋กœ ์˜ˆ์ƒ๋œ๋‹ค. : ๊ทธ๋Ÿฌ๋‚˜ ์–ด๋–ค ๊ฐ’์„ ์ž…๋ ฅํ•˜์—ฌ๋„ "Try again."์ด๋ผ๋Š” ๊ฒฐ๊ณผ๊ฐ€ ์ถœ๋ ฅ๋˜์–ด์„œ ์ฝ”๋“œ๋ฅผ ๋ถ„์„ํ–ˆ๋‹ค. #2 ... $id = getRandStr(); $pw = sha1("1"); ... : id๋Š” getRandStr().. 2024. 2. 2.
[Dreamhack] Level1: baby-union ๐Ÿ›Ž๏ธ Access ๋กœ๊ทธ์ธ ์‹œ ๊ณ„์ •์˜ ์ •๋ณด๊ฐ€ ์ถœ๋ ฅ๋˜๋Š” ์›น ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ๋ฌธ์ œ์—์„œ ์ฃผ์–ด์ง„ init.sql ํŒŒ์ผ์˜ ํ…Œ์ด๋ธ”๋ช…๊ณผ ์ปฌ๋Ÿผ๋ช…์€ ์‹ค์ œ ์ด๋ฆ„๊ณผ ๋‹ค๋ฆ…๋‹ˆ๋‹ค. _ ํ”Œ๋ž˜๊ทธ ํ˜•์‹์€ DH{...} ์ž…๋‹ˆ๋‹ค ๐Ÿ‘พ Exploit Algorithm & Payload > app.py ๋”๋ณด๊ธฐ import os from flask import Flask, request, render_template from flask_mysqldb import MySQL app = Flask(__name__) app.config['MYSQL_HOST'] = os.environ.get('MYSQL_HOST', 'localhost') app.config['MYSQL_USER'] = os.e.. 2024. 2. 2.
๋ฐ˜์‘ํ˜•