반응형
반응형
반응형

tmitter

you need login with "admin"s id!

===========================

create table tmitter_user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);

 

 

join.php의 소스를 보면, 하단에 힌트가 있다.

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
<head>
 <style>
  body {background-color:#eef;}
  table td {text-align:center; background-color:#dde;}
  .ex {text-align:left; color:#99a; font-size:9pt;}
 </style>
 <script>
  function chk(f){
   if(f.id.value.length<4){alert("chk id"); return false;}
   if(f.ps.value.length<7){alert("chk ps"); return false;}
   return true;
  }
 </script>
</head>
<body>
<center>
 <img src="./tmitter.png">
 <form onsubmit="return chk(this);" method="post">
  <table>
   <tr><td>ID</td><td><input type="text" name="id" maxlength="32"></td><td class="ex">at least 4char</td></tr>
   <tr><td>PS</td><td><input type="password" name="ps" maxlength="32"></td><td class="ex">at least 7char</td></tr>
   <tr><td colspan=2><input type="submit" value="join"></td></tr>
  </table>
 </form>
</body>
<!-- hint : you need join with admin -->
 
cs

 

admin으로 회원가입을 해야 한다.

 

그러나 id가 admin인 계정을 생성하려고 하면, admin이라는 계정이 존재한다고 나온다.

 

 

 

php 페이지 상에서 trim(id) 한 값이 db에 있는 id중에 있는지 확인 한 후, db에 들어가는 것 같다.

trim() : 문자열의 앞과 뒤의 공백을 제거

 

 

 

"admin"+""*(32-5)+"dummy"를 id에 입력해주면

 

"admin"+""*(32-5)+"dummy" != "admin" 이기 때문에 존재하지 않는 id가 되며,

 

id char(32) --> id에는 32글자밖에 못들어가므로, "admin"+""*(32-5)+"dummy" 중 32글자가 들어가고, 뒤에 dummy가 잘리게 된다. 뒤에 남은 공백은 trim으로 날라가서 id가 admin으로 가입이 완료된다.

 

 

 

가입 페이지의 id입력란 길이가 32글자로 제한되어 있는데, f12개발자 도구 이용해서 간단히 수정해주면 된다.

 

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [img recovery] 풀이  (0) 2019.12.31
Wargame.kr [type confusion] 풀이  (0) 2019.12.31
Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.24
Wargame.kr [DB is really GOOD] 풀이  (0) 2019.12.24
Wargame.kr [strcmp] 풀이  (0) 2019.12.24
반응형

System32.kr 

[EZB64] 풀이

 

 

 

코드는 이러하다 :

import flag
flag = flag.EZB64
story='''The usage "crib" was adapted from a slang term referring to cheating (e.g., "I cribbed my answer from your test paper"). A "crib" originally was a literal or interlinear translation of a foreign-language text-usually a Latin or Greek text-that students might be assigned to translate from the original language.
The idea behind a crib is that cryptologists were looking at incomprehensible ciphertext, but if they had a clue about some word or phrase that might be expected to be in the ciphertext, they would have a "wedge," a test to break into it. If their otherwise random attacks on the cipher managed to sometimes produce those words or (preferably) phrases, they would know they might be on the right track. When those words or phrases appeared, they would feed the settings they had used to reveal them back into the whole encrypted message to good effect.
In the case of Enigma, the German High Command was very meticulous about the overall security of the Enigma system and understood the possible problem of cribs. The day-to-day operators, on the other hand, were less careful. The Bletchley Park team would guess some of the plaintext based upon when the message was sent, and by recognizing routine operational messages. For instance, a daily weather report was transmitted by the Germans at the same time every day. Due to the regimented style of military reports, it would contain the word Wetter (German for "weather") at the same location in every message. (Knowing the local weather conditions helped Bletchley Park guess other parts of the plaintext as well.) Other operators, too, would send standard salutations or introductions. An officer stationed in the Qattara Depression consistently reported that he had nothing to report. "Heil Hitler," occurring at the end of a message, is another well-known example.
At Bletchley Park in World War II, strenuous efforts were made to use (and even force the Germans to produce) messages with known plaintext. For example, when cribs were lacking, Bletchley Park would sometimes ask the Royal Air Force to "seed" a particular area in the North Sea with mines (a process that came to be known as gardening, by obvious reference). The Enigma messages that were soon sent out would most likely contain the name of the area or the harbour threatened by the mines.
The Germans themselves could be very accommodating in this regard. Whenever any of the turned German Double cross agents sent a message (written by the British) to their respective handlers, they frequently obligingly re-encrypted the message word for word on Enigma for onward transmission to Berlin.
When a captured German revealed under interrogation that Enigma operators had been instructed to encode numbers by spelling them out, Alan Turing reviewed decrypted messages and determined that the number "eins" ("one") was the most common string in the plaintext. He automated the crib process, creating the Eins Catalogue, which assumed that "eins" was encoded at all positions in the plaintext. The catalogue included every possible position of the various rotors, starting positions, and keysettings of the Enigma.
The Polish Cipher Bureau had likewise exploited "cribs" in the "ANX method" before World War II (the Germans' use of "AN", German for "to", followed by "X" as a spacer to form the text "ANX").
The United States and Britain used one-time tape systems, such as the 5-UCO, for their most sensitive traffic. These devices were immune to known-plaintext attack; however, they were point-to-point links and required massive supplies of one time tapes. Networked cipher machines were considered vulnerable to cribs, and various techniques were used to disguise the beginning and ends of a message, including cutting messages in half and sending the second part first and adding nonsense padding at both ends. The latter practice resulted in the world wonders incident. The KL-7, introduced in the mid-1950s, was the first U.S. cipher machine that was considered safe against known-plaintext attack.
Classical ciphers are typically vulnerable to known-plaintext attack. For example, a Caesar cipher can be solved using a single letter of corresponding plaintext and ciphertext to decrypt entirely. A general monoalphabetic substitution cipher needs several character pairs and some guessing if there are fewer than 26 distinct pairs._______
'''
import base64,random,string
table = string.ascii_uppercase + string.ascii_lowercase + string.digits + '+/'
rtable = ''.join(random.sample(table,len(table)))
tb=string.maketrans(table,rtable)
orig=base64.b64encode(story+flag)
print(orig.translate(tb))
#Output : CpIMrXCk5u7MrSZoQcMsrsBy5LU45uKIQXKMGSBcQca0rpV4QxiI3cQ47pCw3qBwGuGMQYZt3cQ47p+45xIM5LKt3cQ4EpFgGwd/rSZZrpfwTuZsGul43LP45uJk7xCwrpGw3xe4jua1QsBeGLferXBIQpCwrsPgrVV4rcfwTursrpawTu7t3cn/3XP47xnkrpV43pMeGLZI3SB6QsBt3YKMQcit3cCIQsBeQcngQxiI7pM63sB6GsBIrpG6QcCtGxd03pngGyCIGxF47pCd7S11QyCI3piJrpV4OpneTud43yr4KyZMGu/47pCd7S1eTpnerXfe7uKM3YKkrp1tGxIerpZMrpnkQxMY3cCPrXK6rXKw5uJk3pneGqBcQca0rXKbGqB6QcMYTuJI3SB/5uJY7unYGqdESMKbGqBtGpCIrpZMTpMgGSBIrpfwTur4TLU47pII7SBoQYMz7pa/3x7tQyKkrX7MQcF43pa6TxMgGwBI7SBt3cf63LBwGuIM3Yft5ciMrpftQpIMQYKMjXl/rpZ17SBtGsBeTpCJrpIIGSBIrpf/7uF45uZ67Ll4Qxa0GqBy3yZPrpawrXBbQcnkGqBeTpnerp1tGxIerpZMrpCdQpCo7pCPrXK6rpZMrpMgrXKbGqBoTLBbGLZeGLIehSBeTpCJrX767uiPrpII7cF45q2s7xCPGxF/rsBIrXKMQyl47p+45YZM5u/4TuJe3wBt7Sd4qu547pIMTLr43yKbGLZyTLfMrXZI3cK63qBI7XKI5x0krpagrXKbGqBoTLBbGLr43ung5u7MGSBe3wBk3x1M7pM0GLU4QXZ6GXCoGqBeTpakGqBy3yZPQwB6Qs2bQXZMGcCw5uZ/jqP4QpIw5LfMQwz47pIMjqBy3yC/GSBN3cayrXKbGLP43uMYTXl45cF43xd47pIMrXZtGxIerXKw5ufNhsBLTpCgrXKb3yfMrX76QcKkrpawrXBbQcnkGLU45LBzGunwGul/rXKbGLP47xa13pl4GcCMGSBeTpF4QxCe7pMgGyU47pIMjqBb5ul47LfMGSBe3wBwGLGM5uz47pIM3qBs5ufNrpMg7p+47pIMrX7b3xiMrpCg5yZJQXKMGSB0GLfk5u7MrXK6rp763xl4GuGcGufeh4bEqud47pIMrpfIQxF43x54KuJtGx1IhSBeTpF4KxCw3ungrVItGx44lxa03ungGSBy5LU47cCwjqB0GLKt5yC/3yCkrpns3yCerXKbGqB67cCw5ui/rXfM5yCwTLKJrpacrXKbGqBn3cMY3uV4QyMk7pC0rpngGSB13cKMQYfe3xaPrXKbGqBz3yfkTuZ/GqBzQcas3pC0rpacrpfwTuZkhsBFTpF4GpnJhLK6huKIjqB6QpCw5LK6QYU/rpagrXKbGqB67pIMQsBb5uJPhSByGLZMrpiMQyU45xnwGuG13Sd4CpIMrVZ/GLKoTpiMjqBl5LZNrXKM5ue47xa13pl4GyCMQyU4Qxa0GqB6GsBeTpF4QpiITuJeGLIerpZIQxCPrXCz3xd47xIM3sBeTpF43uCkQxnYGqBy5LU4QxCg7Sz45uJPrpZJrXZM5xaY3cMvTuJYrXZ67LKt3cF43yBMQcneTuag5uz43uCkQxnYGLUgrVG6QsBt3Yfe5uJoGqz45qBP5uM/jqByGuneTpCwrXZMQpaw7SBy5LU47XZI3Yf0TLKeGul45YP47pIMrV7MQc1I3YU45Ll47pIMrXfI3uF47pM0GqBM7cCwjqBP5LPgrVK1GqBe3wBeTpF4QcCYTu1M3YKMGSBk7XM/GqB6GsB0Tuit7pnwjqBwGLB6QYKkhSBt7SBy3yC/GSBo3xJe5uMgrXKbGqBy3yZPrn7M7XKMQs2bKxCw3ungrpG6Qs2s7xCI7pIMQsrtrpnerXKbGqBk5u1Mrpi65xneTuagrpMgrpCxGLZJrp1MQyfIGxFgrSIh3cayTuJYrXKbGqB/3xfI3SByGuneTpCwrpf63cKt7pM63YU4TpC/QpCPrVZ/GLKoTpiMjqBl5LZNrp71GLfkrpaeTpCwrXBIQYKkrpacrXKbGqBz3pnt3YKMjXl45LU47xC/3SdtrVaeTpCwrpazGLZI7pawQwz47pa6hSBy3yC/GSBkGuJPrXfe5uJP5LZPrXfI3XCe5LKt3xJkrpawrpMg7XZ6GXCo7pM63YUgrVngrpacGcMoGLr4QyKI7pM63cCPrpMgrXKbGqBK5LKe5LZIrVKMQXZMQyft3xd45xagQxMk7pCg7piJrXZMQpaw7pCPrXKb5Ll4TpF4TpnPrpJ67pIt3cQ47p+4QcCz3yZehs2sqpCt3SBrTLK/GLr/rsB65xf1QYZt3cQ45Ll47pIMrpCgGSB6GsBIrp1MQyfIGxF/rpMkrpng3yKbGLr47xC/3S1N3cay3sBMjpn0QpiMh4bElLl4lciM7pfb3pCJrnBIQc/4Tud4Cxaw3pl4CxnwrVMZhSBk7XZM3YC67LU4GuGc3yZeQwByGLZMrp1IGpF47p+47LfMrSII3cl4GLGM3sBc3yZoGqBeTpF4KxCw3ungQwBe3wBzQcaP7ufMEqB0GLfk5u7MQwByTLKbrp0g3y7grXB/5uMg7pCd7Sd4KcawrpCd5u1z3pF/rX7bGud45yZt5YU47xCwGqB/5ufNTuJYhSBS3pCe5xI/GLP4FpnwTwBy3yC/GSBk3x1M7pM0GLU45LfNrXKbGqBq3yMI3SBBTLr4Kcaw5xF47p+4rYfMGulsrpV4Qpnw7pMo7uiIQsBIQcCIrpMgrXKbGqBm3yZeTSBOGuV47xMeTSB0TuJMQw2b5qBzQcaoGLfkrXKb5Ll45xn0GqBe3wBsGqBN3cay3sBIQwBY5LZPGuJt3cQ/rpZJrpas7cM67LU4QcCcGLZM3cfMEqd4CpIMrVCgTu705qB0GLfk5u7MQwBeTpnerX7MQcF4Qxa63sBkGuJerpa17SBy3yC/GSB03yferpitTxC/jqBo3xJe5uMgrXKbGqBg5u1MrpacrXKbGqBIQcCIrpawrXKbGqBb5LZs3yCwrXKbQcCI7pCgGul45YP47pIMrp1t3cCkh4bECpIMrV7MQc1I3YU47pIM3LfM3XGMQwBo3yC/GSBsGqBxGLZJrpno5xa03uaP5LKt3cQ4Tud47pItQwBwGu7IQclgrn7bGuJM7cCwrpngjqB6GsBeTpF47XCw3cCPrV7MQc1I3sBV3yCs3pF45yZ6QyU45u7M3YKkrXfM3Yl45qB0GLfk5u7MrSIyQcMe7pCgrpZJrXKbGqBSQcMeTLfbEqBe3wBeTpCtQsBwGLfzGufeTLGMrpII3cK/GLZkhSBeTpCJrpGwGLn1GuJe3XP43xZ/Tu7t3c7/jqBwGq1M3cfwjLBeGul47pIMrp1MQyfIGxF47xawGSBc3yr47xawGSB63sBn3cMY3uV4Gcawrpag7xnwGSBeQcngQx1tQyft3xd47p+4lcCw3pMgh4bECxIM3sBIrpfIQXK1QcCPrV7MQc1I3sBwGLGM5uiMGSB13cKMQsBt3YKMQYZ6GxneTuagrXKb5Ll4KuJtGx1IrpazGLZI7pawQwBb5ul45cCM3sBt3YfeQYCo7pCPrXK6rpCg5xaPGqBg7u1sGLZkrpZJrXfzGui/TuJYrXKbGue43yCehSBB3pngrnK1QcMgGwBwGLGtGL7MGSBPGufwjLBeGul43uCkQxnYGLU45uJPrpKM7pCw3uMgGul47pII7SBeTpF43YC05cCwrSZMTuJkrs2brcagGqrtrX7IQwBeTpF43uak7SBo3x103xd4QyKwTuJYrpMgrXKbGqBz3pnt3YKMjXlgrVIMrpn17pa05LKMGSBeTpF45yZt5sBzQcaoGLfkhSBoQcCI7pMgGwBeTpF4KuMgQwBA5LKI3paY7uF/rX7bTufbrpnkQyC0Gul47pII7S2sGuMgQwr47xnkrpCg5xaPGul45Ll45ui/rXB6QxMeTuagQwBt3sBeTpF4QpiITuJeGLIehsBFTpF45xne5ui6GyCMrpMg5xi1GpCPrpCxGLZJrXB6Qyft5ciMrXB6QxMeTuagrpacrXKbGqBx5LZt3yCkrXZ67pawQwz4QyKIQYKt3cQ4QpakTLKt3xJkhSBI3cl4TxCJQxCe7pMgGyU43x547pIMrVCgTu705qdESMKbGqBl3xitQx44lxMzTpCwrVZ1QcCI7qBb5ul43pMNGL7tQxF4GLIz3pat7pCPrSZoQcMsQwr4Tud47pIMrSZBOM443uCeTpaPrsBsGuG6QcF4Cxaw3pl4CxnwrVMZrSIeTpF4KxCw3ungQwQ47LfMrpacrSZBOsr/rV7MQc1I3sBc3yr4rYK6rsz4Gca/3payGul45YP4rM4srpnkrpV4QyBI5xCwrXK6rpG6Qce47pIMrXKMjXl4rPnmuSrth4bECpIMrnCgTLKMGSBO7pneGLU45uJPrVZwTLKITud47LfMGSB63cF07pM0GqBe5LBMrXfJQyKM3LU/rXf15x445LU47pIMrAF0CFfHhSBc3yr47pIMTLr43uak7SBkGuJkTLKt7cF47XZIGcGt5wd4CpIMQxF4GpCxTufMQwByGLZMrpM03LCgGqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNmwBb3y7M7cCwhSBeTpCJrX7MQcF4Qpat3Yl07p+0Qpat3Yl43pMgTyU45uJPrXZMQLCtQcCPrp1IQyft7cF4QyCzQpitGLU43x543xJMrXKt3uF47pnzGLUgrVJM7X76Qc0MGSBoTLBbGLr43unoTpMgGLU47xCwGqBo3xJkTuKMQcCPrXG13pJMQcns3pF47p+45yZt5YU/rpngGSBx5LZt3yCkrXKM5xIgTLn1GLU47xCwGqB1QxCPrXK6rpKtQx71TLfMrXKbGqBsGu7t3cJt3cQ45uJPrpCgGXU43x545qB0GLfk5u7MhSBt3cf/7uKt3cQ45yCe7pMgGwB0GLfk5u7MQwBt3sBb5uicrpngGSBkGuJPTuJYrXKbGqBkGuf63cl4Qpnw7SBcTLZk7SBI3cl45uKPTuJYrpJ63YfM3YfMrXBIGpKt3cQ45Ll45caeTSBM3cKkhsBFTpF43pne7pCwrXBw5ufeTufMrXZMQyC/7pCPrpMgrXKbGqBy3yZ/GSBy3xJPGLZkrpMg5xMPGuJehsBFTpF4qez0fwz4TuJeQcaP7ufMGSBt3sBeTpF43uMPhOVJfOBkhSBy5LU47pIMrpGtQYfernFgFwd45xMzTpCwrp1I5xIt3cF47pII7SBy5LU45xagQxMPGLZMGSBk5uGMrpnY5uMgQyl4TxJ67xd0QpiITuJeGLIerpne7pnoTwdESPf/5LfkTufI3SBoTLBbGLZkrpnwGqBejLBt5xn/3XP47YC/3cCw5uZ/GqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNhsBp3yr4GLII3LB/Gqz45qBA5uCk5Lr45xMzTpCwrpfI3sBsGqBk3xixGul47Lft3cQ45qBkTuJY3pF43pCe7pCwrpacrpf6QYZMQyB63cKt3cQ4QpiITuJeGLIerpngGSBoTLBbGLZeGLIerXK6rpKM5yZJQXl4GuJeTLZM3XPgrVV4GxCgGLZI3SB03xJ65uizTpnsGLKt5wBk7uZk7pMe7LKt3xd45xMzTpCwrpJMGuKkrXfM7cCw5uz45xIIQcno7pCwrXBITLZkrpngGSBk3x1Mrp71GLfkTuJYrpMcrXKbGLZMrpnwGqBcGL7MQsBeTpngrArxrpKtQyKt3cferXBITLZkhMaWL1aWL1+EKciIGy0eTpMkLxMkLyK631aMjMac3yZWCCat3cMeHye=

 

table = A-Za-z0-9+/

 

stroy에 flag를 붙여서 base64 인코딩을 하고, 랜덤으로 만든 테이블로 치환을 해서 출력을 한다.

 

 

 

만약

table=ABCDE

rtable=qwert

이면, A는 q로, B는 w로 치환하는 것이다.

 

 

 

 

 

flag를 얻기 위해서는 rtable를 구해야 한다.

 

샘플을 충분히 제공하기 때문에, rtable를 쉽게 구할 수 있다.

 

story만을 base64로 인코딩하면 VGhlIHVzYWdlICJjcmliIi....이 나오는데

 

이를 Output과 비교를 하게 되면 V->C, G->p, h->I 이렇게 1:1대응이 된다.

 

 

 

 

 

 

1:1 대응 리스트를 쫙 뽑아서 rtable를 만들고 rtable->table로 Output를 바꿔주어서 base64 디코딩을 하면 flag를 구할 수 있다.

 

 

python2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
story='''The usage "crib" was adapted from a slang term referring to cheating (e.g., "I cribbed my answer from your test paper"). A "crib" originally was a literal or interlinear translation of a foreign-language text-usually a Latin or Greek text-that students might be assigned to translate from the original language.
 
The idea behind a crib is that cryptologists were looking at incomprehensible ciphertext, but if they had a clue about some word or phrase that might be expected to be in the ciphertext, they would have a "wedge," a test to break into it. If their otherwise random attacks on the cipher managed to sometimes produce those words or (preferably) phrases, they would know they might be on the right track. When those words or phrases appeared, they would feed the settings they had used to reveal them back into the whole encrypted message to good effect.
 
In the case of Enigma, the German High Command was very meticulous about the overall security of the Enigma system and understood the possible problem of cribs. The day-to-day operators, on the other hand, were less careful. The Bletchley Park team would guess some of the plaintext based upon when the message was sent, and by recognizing routine operational messages. For instance, a daily weather report was transmitted by the Germans at the same time every day. Due to the regimented style of military reports, it would contain the word Wetter (German for "weather") at the same location in every message. (Knowing the local weather conditions helped Bletchley Park guess other parts of the plaintext as well.) Other operators, too, would send standard salutations or introductions. An officer stationed in the Qattara Depression consistently reported that he had nothing to report. "Heil Hitler," occurring at the end of a message, is another well-known example.
 
At Bletchley Park in World War II, strenuous efforts were made to use (and even force the Germans to produce) messages with known plaintext. For example, when cribs were lacking, Bletchley Park would sometimes ask the Royal Air Force to "seed" a particular area in the North Sea with mines (a process that came to be known as gardening, by obvious reference). The Enigma messages that were soon sent out would most likely contain the name of the area or the harbour threatened by the mines.
 
The Germans themselves could be very accommodating in this regard. Whenever any of the turned German Double cross agents sent a message (written by the British) to their respective handlers, they frequently obligingly re-encrypted the message word for word on Enigma for onward transmission to Berlin.
 
When a captured German revealed under interrogation that Enigma operators had been instructed to encode numbers by spelling them out, Alan Turing reviewed decrypted messages and determined that the number "eins" ("one") was the most common string in the plaintext. He automated the crib process, creating the Eins Catalogue, which assumed that "eins" was encoded at all positions in the plaintext. The catalogue included every possible position of the various rotors, starting positions, and keysettings of the Enigma.
 
The Polish Cipher Bureau had likewise exploited "cribs" in the "ANX method" before World War II (the Germans' use of "AN", German for "to", followed by "X" as a spacer to form the text "ANX").
 
The United States and Britain used one-time tape systems, such as the 5-UCO, for their most sensitive traffic. These devices were immune to known-plaintext attack; however, they were point-to-point links and required massive supplies of one time tapes. Networked cipher machines were considered vulnerable to cribs, and various techniques were used to disguise the beginning and ends of a message, including cutting messages in half and sending the second part first and adding nonsense padding at both ends. The latter practice resulted in the world wonders incident. The KL-7, introduced in the mid-1950s, was the first U.S. cipher machine that was considered safe against known-plaintext attack.
 
Classical ciphers are typically vulnerable to known-plaintext attack. For example, a Caesar cipher can be solved using a single letter of corresponding plaintext and ciphertext to decrypt entirely. A general monoalphabetic substitution cipher needs several character pairs and some guessing if there are fewer than 26 distinct pairs._______
'''
 
tran='''CpIMrXCk5u7MrSZoQcMsrsBy5LU45uKIQXKMGSBcQca0rpV4QxiI3cQ47pCw3qBwGuGMQYZt3cQ47p+45xIM5LKt3cQ4EpFgGwd/rSZZrpfwTuZsGul43LP45uJk7xCwrpGw3xe4jua1QsBeGLferXBIQpCwrsPgrVV4rcfwTursrpawTu7t3cn/3XP47xnkrpV43pMeGLZI3SB6QsBt3YKMQcit3cCIQsBeQcngQxiI7pM63sB6GsBIrpG6QcCtGxd03pngGyCIGxF47pCd7S11QyCI3piJrpV4OpneTud43yr4KyZMGu/47pCd7S1eTpnerXfe7uKM3YKkrp1tGxIerpZMrpnkQxMY3cCPrXK6rXKw5uJk3pneGqBcQca0rXKbGqB6QcMYTuJI3SB/5uJY7unYGqdESMKbGqBtGpCIrpZMTpMgGSBIrpfwTur4TLU47pII7SBoQYMz7pa/3x7tQyKkrX7MQcF43pa6TxMgGwBI7SBt3cf63LBwGuIM3Yft5ciMrpftQpIMQYKMjXl/rpZ17SBtGsBeTpCJrpIIGSBIrpf/7uF45uZ67Ll4Qxa0GqBy3yZPrpawrXBbQcnkGqBeTpnerp1tGxIerpZMrpCdQpCo7pCPrXK6rpZMrpMgrXKbGqBoTLBbGLZeGLIehSBeTpCJrX767uiPrpII7cF45q2s7xCPGxF/rsBIrXKMQyl47p+45YZM5u/4TuJe3wBt7Sd4qu547pIMTLr43yKbGLZyTLfMrXZI3cK63qBI7XKI5x0krpagrXKbGqBoTLBbGLr43ung5u7MGSBe3wBk3x1M7pM0GLU4QXZ6GXCoGqBeTpakGqBy3yZPQwB6Qs2bQXZMGcCw5uZ/jqP4QpIw5LfMQwz47pIMjqBy3yC/GSBN3cayrXKbGLP43uMYTXl45cF43xd47pIMrXZtGxIerXKw5ufNhsBLTpCgrXKb3yfMrX76QcKkrpawrXBbQcnkGLU45LBzGunwGul/rXKbGLP47xa13pl4GcCMGSBeTpF4QxCe7pMgGyU47pIMjqBb5ul47LfMGSBe3wBwGLGM5uz47pIM3qBs5ufNrpMg7p+47pIMrX7b3xiMrpCg5yZJQXKMGSB0GLfk5u7MrXK6rp763xl4GuGcGufeh4bEqud47pIMrpfIQxF43x54KuJtGx1IhSBeTpF4KxCw3ungrVItGx44lxa03ungGSBy5LU47cCwjqB0GLKt5yC/3yCkrpns3yCerXKbGqB67cCw5ui/rXfM5yCwTLKJrpacrXKbGqBn3cMY3uV4QyMk7pC0rpngGSB13cKMQYfe3xaPrXKbGqBz3yfkTuZ/GqBzQcas3pC0rpacrpfwTuZkhsBFTpF4GpnJhLK6huKIjqB6QpCw5LK6QYU/rpagrXKbGqB67pIMQsBb5uJPhSByGLZMrpiMQyU45xnwGuG13Sd4CpIMrVZ/GLKoTpiMjqBl5LZNrXKM5ue47xa13pl4GyCMQyU4Qxa0GqB6GsBeTpF4QpiITuJeGLIerpZIQxCPrXCz3xd47xIM3sBeTpF43uCkQxnYGqBy5LU4QxCg7Sz45uJPrpZJrXZM5xaY3cMvTuJYrXZ67LKt3cF43yBMQcneTuag5uz43uCkQxnYGLUgrVG6QsBt3Yfe5uJoGqz45qBP5uM/jqByGuneTpCwrXZMQpaw7SBy5LU47XZI3Yf0TLKeGul45YP47pIMrV7MQc1I3YU45Ll47pIMrXfI3uF47pM0GqBM7cCwjqBP5LPgrVK1GqBe3wBeTpF4QcCYTu1M3YKMGSBk7XM/GqB6GsB0Tuit7pnwjqBwGLB6QYKkhSBt7SBy3yC/GSBo3xJe5uMgrXKbGqBy3yZPrn7M7XKMQs2bKxCw3ungrpG6Qs2s7xCI7pIMQsrtrpnerXKbGqBk5u1Mrpi65xneTuagrpMgrpCxGLZJrp1MQyfIGxFgrSIh3cayTuJYrXKbGqB/3xfI3SByGuneTpCwrpf63cKt7pM63YU4TpC/QpCPrVZ/GLKoTpiMjqBl5LZNrp71GLfkrpaeTpCwrXBIQYKkrpacrXKbGqBz3pnt3YKMjXl45LU47xC/3SdtrVaeTpCwrpazGLZI7pawQwz47pa6hSBy3yC/GSBkGuJPrXfe5uJP5LZPrXfI3XCe5LKt3xJkrpawrpMg7XZ6GXCo7pM63YUgrVngrpacGcMoGLr4QyKI7pM63cCPrpMgrXKbGqBK5LKe5LZIrVKMQXZMQyft3xd45xagQxMk7pCg7piJrXZMQpaw7pCPrXKb5Ll4TpF4TpnPrpJ67pIt3cQ47p+4QcCz3yZehs2sqpCt3SBrTLK/GLr/rsB65xf1QYZt3cQ45Ll47pIMrpCgGSB6GsBIrp1MQyfIGxF/rpMkrpng3yKbGLr47xC/3S1N3cay3sBMjpn0QpiMh4bElLl4lciM7pfb3pCJrnBIQc/4Tud4Cxaw3pl4CxnwrVMZhSBk7XZM3YC67LU4GuGc3yZeQwByGLZMrp1IGpF47p+47LfMrSII3cl4GLGM3sBc3yZoGqBeTpF4KxCw3ungQwBe3wBzQcaP7ufMEqB0GLfk5u7MQwByTLKbrp0g3y7grXB/5uMg7pCd7Sd4KcawrpCd5u1z3pF/rX7bGud45yZt5YU47xCwGqB/5ufNTuJYhSBS3pCe5xI/GLP4FpnwTwBy3yC/GSBk3x1M7pM0GLU45LfNrXKbGqBq3yMI3SBBTLr4Kcaw5xF47p+4rYfMGulsrpV4Qpnw7pMo7uiIQsBIQcCIrpMgrXKbGqBm3yZeTSBOGuV47xMeTSB0TuJMQw2b5qBzQcaoGLfkrXKb5Ll45xn0GqBe3wBsGqBN3cay3sBIQwBY5LZPGuJt3cQ/rpZJrpas7cM67LU4QcCcGLZM3cfMEqd4CpIMrVCgTu705qB0GLfk5u7MQwBeTpnerX7MQcF4Qxa63sBkGuJerpa17SBy3yC/GSB03yferpitTxC/jqBo3xJe5uMgrXKbGqBg5u1MrpacrXKbGqBIQcCIrpawrXKbGqBb5LZs3yCwrXKbQcCI7pCgGul45YP47pIMrp1t3cCkh4bECpIMrV7MQc1I3YU47pIM3LfM3XGMQwBo3yC/GSBsGqBxGLZJrpno5xa03uaP5LKt3cQ4Tud47pItQwBwGu7IQclgrn7bGuJM7cCwrpngjqB6GsBeTpF47XCw3cCPrV7MQc1I3sBV3yCs3pF45yZ6QyU45u7M3YKkrXfM3Yl45qB0GLfk5u7MrSIyQcMe7pCgrpZJrXKbGqBSQcMeTLfbEqBe3wBeTpCtQsBwGLfzGufeTLGMrpII3cK/GLZkhSBeTpCJrpGwGLn1GuJe3XP43xZ/Tu7t3c7/jqBwGq1M3cfwjLBeGul47pIMrp1MQyfIGxF47xawGSBc3yr47xawGSB63sBn3cMY3uV4Gcawrpag7xnwGSBeQcngQx1tQyft3xd47p+4lcCw3pMgh4bECxIM3sBIrpfIQXK1QcCPrV7MQc1I3sBwGLGM5uiMGSB13cKMQsBt3YKMQYZ6GxneTuagrXKb5Ll4KuJtGx1IrpazGLZI7pawQwBb5ul45cCM3sBt3YfeQYCo7pCPrXK6rpCg5xaPGqBg7u1sGLZkrpZJrXfzGui/TuJYrXKbGue43yCehSBB3pngrnK1QcMgGwBwGLGtGL7MGSBPGufwjLBeGul43uCkQxnYGLU45uJPrpKM7pCw3uMgGul47pII7SBeTpF43YC05cCwrSZMTuJkrs2brcagGqrtrX7IQwBeTpF43uak7SBo3x103xd4QyKwTuJYrpMgrXKbGqBz3pnt3YKMjXlgrVIMrpn17pa05LKMGSBeTpF45yZt5sBzQcaoGLfkhSBoQcCI7pMgGwBeTpF4KuMgQwBA5LKI3paY7uF/rX7bTufbrpnkQyC0Gul47pII7S2sGuMgQwr47xnkrpCg5xaPGul45Ll45ui/rXB6QxMeTuagQwBt3sBeTpF4QpiITuJeGLIehsBFTpF45xne5ui6GyCMrpMg5xi1GpCPrpCxGLZJrXB6Qyft5ciMrXB6QxMeTuagrpacrXKbGqBx5LZt3yCkrXZ67pawQwz4QyKIQYKt3cQ4QpakTLKt3xJkhSBI3cl4TxCJQxCe7pMgGyU43x547pIMrVCgTu705qdESMKbGqBl3xitQx44lxMzTpCwrVZ1QcCI7qBb5ul43pMNGL7tQxF4GLIz3pat7pCPrSZoQcMsQwr4Tud47pIMrSZBOM443uCeTpaPrsBsGuG6QcF4Cxaw3pl4CxnwrVMZrSIeTpF4KxCw3ungQwQ47LfMrpacrSZBOsr/rV7MQc1I3sBc3yr4rYK6rsz4Gca/3payGul45YP4rM4srpnkrpV4QyBI5xCwrXK6rpG6Qce47pIMrXKMjXl4rPnmuSrth4bECpIMrnCgTLKMGSBO7pneGLU45uJPrVZwTLKITud47LfMGSB63cF07pM0GqBe5LBMrXfJQyKM3LU/rXf15x445LU47pIMrAF0CFfHhSBc3yr47pIMTLr43uak7SBkGuJkTLKt7cF47XZIGcGt5wd4CpIMQxF4GpCxTufMQwByGLZMrpM03LCgGqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNmwBb3y7M7cCwhSBeTpCJrX7MQcF4Qpat3Yl07p+0Qpat3Yl43pMgTyU45uJPrXZMQLCtQcCPrp1IQyft7cF4QyCzQpitGLU43x543xJMrXKt3uF47pnzGLUgrVJM7X76Qc0MGSBoTLBbGLr43unoTpMgGLU47xCwGqBo3xJkTuKMQcCPrXG13pJMQcns3pF47p+45yZt5YU/rpngGSBx5LZt3yCkrXKM5xIgTLn1GLU47xCwGqB1QxCPrXK6rpKtQx71TLfMrXKbGqBsGu7t3cJt3cQ45uJPrpCgGXU43x545qB0GLfk5u7MhSBt3cf/7uKt3cQ45yCe7pMgGwB0GLfk5u7MQwBt3sBb5uicrpngGSBkGuJPTuJYrXKbGqBkGuf63cl4Qpnw7SBcTLZk7SBI3cl45uKPTuJYrpJ63YfM3YfMrXBIGpKt3cQ45Ll45caeTSBM3cKkhsBFTpF43pne7pCwrXBw5ufeTufMrXZMQyC/7pCPrpMgrXKbGqBy3yZ/GSBy3xJPGLZkrpMg5xMPGuJehsBFTpF4qez0fwz4TuJeQcaP7ufMGSBt3sBeTpF43uMPhOVJfOBkhSBy5LU47pIMrpGtQYfernFgFwd45xMzTpCwrp1I5xIt3cF47pII7SBy5LU45xagQxMPGLZMGSBk5uGMrpnY5uMgQyl4TxJ67xd0QpiITuJeGLIerpne7pnoTwdESPf/5LfkTufI3SBoTLBbGLZkrpnwGqBejLBt5xn/3XP47YC/3cCw5uZ/GqBe3wBN3cay3s1z3pnt3YKMjXl45LKe5ufNhsBp3yr4GLII3LB/Gqz45qBA5uCk5Lr45xMzTpCwrpfI3sBsGqBk3xixGul47Lft3cQ45qBkTuJY3pF43pCe7pCwrpacrpf6QYZMQyB63cKt3cQ4QpiITuJeGLIerpngGSBoTLBbGLZeGLIerXK6rpKM5yZJQXl4GuJeTLZM3XPgrVV4GxCgGLZI3SB03xJ65uizTpnsGLKt5wBk7uZk7pMe7LKt3xd45xMzTpCwrpJMGuKkrXfM7cCw5uz45xIIQcno7pCwrXBITLZkrpngGSBk3x1Mrp71GLfkTuJYrpMcrXKbGLZMrpnwGqBcGL7MQsBeTpngrArxrpKtQyKt3cferXBITLZkhMaWL1aWL1+EKciIGy0eTpMkLxMkLyK631aMjMac3yZWCCat3cMeHye=
'''
 
import base64, string
table = string.ascii_uppercase + string.ascii_lowercase + string.digits + '+/'
table_dict = dict.fromkeys(table, '?')
#rtable = ''.join(random.sample(table,len(table)))
orig=base64.b64encode(story)
 
for i in range(0len(orig)-4):
    table_dict[orig[i]] = tran[i]
    #print(orig[i]+";;"+tran[i])
 
tdv = table_dict.values()
rtable=""
for j in range(len(table)):
    rtable += table_dict[table[j]]
print(rtable)
tb=string.maketrans(rtable,table)
btran = tran.translate(tb)
print(base64.b64decode(btran))
 
cs

 

반응형

'WAR GAME > System32.kr' 카테고리의 다른 글

System32.kr [RSA108] 풀이  (0) 2021.01.19
System32.kr [RSA107] 풀이  (0) 2021.01.18
System32.kr [RSA106] 풀이  (0) 2019.05.19
System32.kr [RSA104] 풀이  (0) 2019.05.19
System32.kr [RSA105] 풀이  (0) 2019.05.19
반응형

md5_compare

JUST COMPARE ONLY.

with the other value :D

 

 

 

빠르게 소스를 확인하자

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
    if (isset($_GET['view-source'])) {
         show_source(__FILE__);
         exit();
    }
 
    if (isset($_GET['v1']) && isset($_GET['v2'])) {
        sleep(3); // anti brute force
 
        $chk = true;
        $v1 = $_GET['v1'];
        $v2 = $_GET['v2'];
 
        if (!ctype_alpha($v1)) {$chk = false;}
        if (!is_numeric($v2) ) {$chk = false;}
        if (md5($v1!= md5($v2)) {$chk = false;}
 
        if ($chk){
            include("../lib.php");
            echo "Congratulations! FLAG is : ".auth_code("md5_compare");
        } else {
            echo "Wrong...";
        }
    }
?>
<br />
<form method="GET">
    VALUE 1 : <input type="text" name="v1" /><br />
    VALUE 2 : <input type="text" name="v2" /><br />
    <input type="submit" value="chk" />
</form>
<br />
<a href="?view-source">view-source</a>
cs

 

 

간단하다 v1은 전부 알파벳으로 이루어져 있어야 하고, v2는 전부 숫자로 이루어져 있어야 한다.

 

그리고 v1의 md5해쉬 값과 v2의 md5 해쉬값이 일치해야 한다.

 

 

 

 

php의 느슨한 비교(==)를 하기 때문에 magic hash를 사용할 수 있다.

 

v | input | md5

v1 | QNKCDZO | 0e830400451993494058024219903391

v2 | 240610708 | 0e46209743190650901956298873685

 

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [type confusion] 풀이  (0) 2019.12.31
Wargame.kr [tmitter] 풀이  (0) 2019.12.31
Wargame.kr [DB is really GOOD] 풀이  (0) 2019.12.24
Wargame.kr [strcmp] 풀이  (0) 2019.12.24
Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.23
반응형

DB is really GOOD

What kind of this Database?

you have to find correlation between user name and database.

 

 

 

 

user name과 db의 상관관계를 찾아내면 될 것 같다.

 

 

 

첫 화면에서 admin으로 로그인 되지 않는다. 페이지 소스를 보면 

function fschk(f){
    if(f.user_id.value=="admin"){
        alert("dont access with 'admin'");
        return false;
    }
}

admin으로 로그인을 막는 js 코드가 존재한다.

 

 

그러나 해당 코드를 삭제해도 can not access admin.. 라고 admin으로 로그인이 불가능하다.

 

 

 

 

 

다른 닉네임들로 로그인해서 몇 번 만져보면 user name 가 하나의 다른 게시판역할을 하는 것을 알 수 있다.

 

= 다른 사람이 입력을 안했을 것 같은 user name으로 들어가보면 아무것도 없다.

= guest로 들어가서 메모를 남겨놓으면 나중에 guest로 들어가도 남아있다.

 

 

 

그러면 admin인 게시판을 찾아야 하는데 딱히 단서가 보이지 않았다.

 

그래서 메인 화면에서 여러가지 user name을 시도해 보았다.

 

 

 

 

<>?,./을 입력했을 때 오류메세지를 얻을 수 있었고 입력한 값을 경로로 하는 것을 찾을 수 있었다.

 

입력값을 경로로 하기 때문에 오류나는 문자는 . 나 / 일것이고, 결국 / 가 오류가 나는 원인임을 찾을 수 있었다.

 

 

 

 

 

Fatal error: Uncaught exception 'Exception' with message 'Unable to open database: unable to open database file' in /var/www/html/db_is_really_good/sqlite3.php:7 Stack trace: #0 /var/www/html/db_is_really_good/sqlite3.php(7): SQLite3->open('./db/wkrm_/.db') #1 /var/www/html/db_is_really_good/memo.php(14): MyDB->__construct('./db/wkrm_/.db') #2 {main} thrown in /var/www/html/db_is_really_good/sqlite3.php on line 7

 

 

 

./db/wkrm_[입력값].db 을 가져오는 것을 알 수 있다.

 

[입력값] 에 admin을 넣은 경로로 이동하면 해당 db파일을 다운로드 받을 수 있다.

 

 

 

 

 

 

 

 

다운로드 받은 파일을 Hxd로 열면 주소를 하나 더 얻을 수 있다.

 

해당 주소로 이동하면 flag가 나온다.

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [tmitter] 풀이  (0) 2019.12.31
Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.24
Wargame.kr [strcmp] 풀이  (0) 2019.12.24
Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.23
Wargame.kr [md5 password] 풀이  (0) 2019.08.22
반응형

strcmp

if you can bypass the strcmp function, you get the flag.

 

 

 

password를 입력받는 칸과 소스를 확인할 수 있는 링크가 있다.

 

일단 소스코드를 확인해 보자.

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
    require("../lib.php"); // for auth_code function
 
    $password = sha1(md5(rand().file_get_contents("/var/lib/dummy_file")).rand());
 
    if (isset($_GET['view-source'])) {
        show_source(__FILE__);
        exit();
    }else if(isset($_POST['password'])){
        sleep(1); // do not brute force!
        if (strcmp($_POST['password'], $password== 0) {
            echo "Congratulations! Flag is <b>" . auth_code("strcmp") ."</b>";
            exit();
        } else {
            echo "Wrong password..";
        }
    }
 
?>
<br />
<br />
<form method="POST">
    password : <input type="text" name="password" /> <input type="submit" value="chk">
</form>
<br />
<a href="?view-source">view-source</a>
cs

 

 

$password sha1(md5(rand().file_get_contents("/var/lib/dummy_file")).rand());

 

$password는 랜덤 값의 sha1 해쉬값이다. 따라서 때려맞출 수는 없다.

 

 

 

 

대신 strcmp함수의 취약점을 이용하면 된다.

 

strcmp(String, Array()) 는 NULL을 반환한다.

 

php에서 NULL == 0 은 True가 된다.

 

 

 

 

 

 

따라서 password를 배열로 보내면 flag를 얻을 수 있게 된다.

 

크롬 개발자 도구를 이용해서 password를 password[]로 바꾼 뒤에 아무 값이나 입력해서 보내면, flag를 얻을 수 있다.

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.24
Wargame.kr [DB is really GOOD] 풀이  (0) 2019.12.24
Wargame.kr [fly me to the moon] 풀이  (0) 2019.12.23
Wargame.kr [md5 password] 풀이  (0) 2019.08.22
Wargame.kr [WTF_CODE] 풀이  (0) 2019.08.22
반응형

fly me to the moon

 

javascript game.

can you clear with bypass prevent cheating system?

 

 

 

 

게임을 시작하면, 양 옆 초록색 벽에 부딪히지 않도록 움직여야 한다.

 

 

 

 

 

 

벽에 닿아 죽게 되면 31337점을 얻어야 된다고 나온다.

 

 

 

그럼 이제 js 코드를 확인해 보자

 

난독화가 되어 있어서 읽을 수 없다.

 

 

 

 

 

 

위 난독화 정도는 아래 사이트를 이용해서 unPack이 가능하다.

https://www.strictly-software.com/unpack-javascript

 

Javascript Unpacker Tool - Strictly Software

This Javascript unpacker tool has now been upgraded to allow it to unpack multiple eval statements. So if your packed code has itself been packed a few times it will loop through until it finds the original source code. If you want to test this multiple ev

www.strictly-software.com

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
var _0x32bb = ["\x6B\x69\x6C\x6C\x50\x6C\x61\x79\x65\x72""\x63\x68\x65\x63\x6B\x4C\x69\x66\x65""\x67\x65\x74\x53\x63\x6F\x72\x65""\x42\x69\x6E\x63\x53\x63\x6F\x72\x65""\x73\x68\x72\x69\x6E\x6B\x54\x75\x6E\x6E\x65\x6C""\x77\x69\x64\x74\x68\x54\x75\x6E\x6E\x65\x6C""\x6F\x62\x6A\x65\x63\x74""\x44\x6F\x20\x63\x68\x65\x61\x74\x69\x6E\x67\x2C\x20\x69\x66\x20\x79\x6F\x75\x20\x63\x61\x6E""\x77\x61\x72\x6E""\x6F\x66\x66\x73\x65\x74\x4C\x65\x66\x74""\x74\x75\x6E\x6E\x65\x6C""\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64""\x74\x6F\x70""""\x70\x78""\x63\x73\x73""\x64\x69\x73\x70\x6C\x61\x79""\x62\x6C\x6F\x63\x6B""\x65\x61\x63\x68""\x69\x6D\x67\x2E\x6C\x65\x66\x74\x5F\x77\x61\x6C\x6C""\x69\x6D\x67\x2E\x72\x69\x67\x68\x74\x5F\x77\x61\x6C\x6C""\x23\x68\x69\x67\x68\x5F\x73\x63\x6F\x72\x65\x73""\x72\x65\x6D\x6F\x76\x65""\x74\x61\x62\x6C\x65""\x6E\x6F\x6E\x65""\x64\x69\x76\x23\x73\x63\x6F\x72\x65\x5F\x74\x61\x62\x6C\x65""\x63\x6C\x69\x63\x6B""\x74\x65\x78\x74""\x73\x70\x61\x6E\x23\x73\x63\x6F\x72\x65""\x6C\x65\x66\x74""\x69\x6D\x67\x23\x73\x68\x69\x70""\x73\x6C\x6F\x77""\x66\x61\x64\x65\x49\x6E""\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x70\x6F\x73\x69\x74\x69\x6F\x6E""\x35\x30\x25\x20""\x64\x69\x76\x23\x74\x75\x6E\x6E\x65\x6C""\x72\x61\x6E\x64\x6F\x6D""\x66\x6C\x6F\x6F\x72""\x75\x70\x64\x61\x74\x65\x54\x75\x6E\x6E\x65\x6C\x28\x29""\x66\x61\x64\x65\x4F\x75\x74""\x50\x4F\x53\x54""\x68\x69\x67\x68\x2D\x73\x63\x6F\x72\x65\x73\x2E\x70\x68\x70""\x74\x6F\x6B\x65\x6E\x3D""\x26\x73\x63\x6F\x72\x65\x3D""\x61\x6A\x61\x78""\x68\x74\x6D\x6C""\x70\x23\x77\x65\x6C\x63\x6F\x6D\x65""\x75\x70\x64\x61\x74\x65\x54\x6F\x6B\x65\x6E\x28\x29""\x74\x68\x78\x2C\x20\x43\x68\x72\x69\x73\x74\x69\x61\x6E\x20\x4D\x6F\x6E\x74\x6F\x79\x61""\x6D\x6F\x75\x73\x65\x6F\x76\x65\x72""\x23\x63\x68\x72\x69\x73\x74\x69\x61\x6E""\x6D\x6F\x75\x73\x65\x6F\x75\x74""\x72\x65\x61\x64\x79""\x43\x68\x72\x69\x73\x74\x69\x61\x6E\x20\x4D\x6F\x6E\x74\x6F\x79\x61""\x70\x61\x67\x65\x58""\x6D\x6F\x75\x73\x65\x6D\x6F\x76\x65""\x74\x6F\x6B\x65\x6E\x2E\x70\x68\x70""\x67\x65\x74"];
function secureGame() {
    var _0x8618x2 = this;
    var _0x8618x3 = true;
    function _0x8618x4() {
        _0x8618x3 = false;
        return true
    };
    function _0x8618x5() {
        return _0x8618x3
    };
    this[_0x32bb[0]] = function () {
        _0x8618x4();
        return true
    };
    this[_0x32bb[1]] = function () {
        return _0x8618x5()
    };
    var _0x8618x6 = 0;
    function _0x8618x7() {
        return _0x8618x6
    };
    function _0x8618x8() {
        if (_0x8618x3) {
            _0x8618x6++
        };
        return true
    };
    this[_0x32bb[2]] = function () {
        return _0x8618x7()
    };
    this[_0x32bb[3]] = function () {
        _0x8618x8();
        return true
    };
    var _0x8618x9 = 320;
    function _0x8618xa() {
        _0x8618x9 -= 20;
        return true
    };
    function _0x8618xb() {
        return _0x8618x9
    };
    this[_0x32bb[4]] = function () {
        _0x8618xa();
        return true
    };
    this[_0x32bb[5]] = function () {
        return _0x8618xb()
    }
};
var bg_val = 0;
var rail_left = 0;
var rail_right = 500;
var ship_x = 234;
var pos_x = 234;
var c_s = 0;
var c_r = 0;
var c_w = 0;
var t_state = 0;
left_wall = new Array(20);
right_wall = new Array(20);
function initTunnel() {
    BTunnelGame = new secureGame();
    if (_0x32bb[6== typeof console) {
        console[_0x32bb[8]](_0x32bb[7])
    };
    rail_left = document[_0x32bb[11]](_0x32bb[10])[_0x32bb[9]];
    rail_right += rail_left;
    y = 0;
    for (y = 0; y < 20; y++) {
        left_wall[y] = 80;
        right_wall[y] = 400
    };
    $(_0x32bb[19])[_0x32bb[18]](function (_0x8618x16) {
        y = _0x8618x16 * 25;
        $(this)[_0x32bb[15]](_0x32bb[12], _0x32bb[13+ y + _0x32bb[14]);
        $(this)[_0x32bb[15]](_0x32bb[16], _0x32bb[17])
    });
    $(_0x32bb[20])[_0x32bb[18]](function (_0x8618x16) {
        y = _0x8618x16 * 25;
        $(this)[_0x32bb[15]](_0x32bb[12], _0x32bb[13+ y + _0x32bb[14]);
        $(this)[_0x32bb[15]](_0x32bb[16], _0x32bb[17])
    });
    $(_0x32bb[25])[_0x32bb[26]](function () {
        $(_0x32bb[23])[_0x32bb[22]](_0x32bb[21]);
        $(_0x32bb[25])[_0x32bb[15]](_0x32bb[16], _0x32bb[24]);
        restartTunnel();
        updateTunnel()
    })
};
function restartTunnel() {
    BTunnelGame = new secureGame();
    if (_0x32bb[6== typeof console) {
        console[_0x32bb[8]](_0x32bb[7])
    };
    ship_x = 234;
    c_s = 0;
    c_r = 0;
    c_w = 0;
    $(_0x32bb[28])[_0x32bb[27]](_0x32bb[13+ 0);
    $(_0x32bb[30])[_0x32bb[15]](_0x32bb[29], ship_x + _0x32bb[14]);
    y = 0;
    for (y = 0; y < 20; y++) {
        left_wall[y] = 80;
        right_wall[y] = 400
    };
    $(_0x32bb[30])[_0x32bb[32]](_0x32bb[31]);
    $(_0x32bb[19])[_0x32bb[18]](function (_0x8618x16) {
        y = _0x8618x16 * 25;
        $(this)[_0x32bb[15]](_0x32bb[12], _0x32bb[13+ y + _0x32bb[14]);
        $(this)[_0x32bb[15]](_0x32bb[16], _0x32bb[17])
    });
    $(_0x32bb[20])[_0x32bb[18]](function (_0x8618x16) {
        y = _0x8618x16 * 25;
        $(this)[_0x32bb[15]](_0x32bb[12], _0x32bb[13+ y + _0x32bb[14]);
        $(this)[_0x32bb[15]](_0x32bb[16], _0x32bb[17])
    })
};
function updateTunnel() {
    bg_val = bg_val + 2;
    if (bg_val > 20) {
        bg_val = 0
    };
    $(_0x32bb[35])[_0x32bb[15]](_0x32bb[33], _0x32bb[34+ bg_val + _0x32bb[14]);
    if (ship_x + 32 < 500) {
        if (ship_x + 46 < pos_x) {
            ship_x += 4
        } else {
            if (ship_x + 16 < pos_x) {
                ship_x += 2
            }
        }
    };
    if (ship_x > 0) {
        if (ship_x - 14 > pos_x) {
            ship_x -= 4
        } else {
            if (ship_x + 16 > pos_x) {
                ship_x -= 2
            }
        }
    };
    $(_0x32bb[30])[_0x32bb[15]](_0x32bb[29], ship_x + _0x32bb[14]);
    c_r++;
    if (c_r > 60) {
        c_r = 0;
        t_state = Math[_0x32bb[37]](Math[_0x32bb[36]]() * 2)
    };
    if (left_wall[0< 10) {
        t_state = 1
    } else {
        if (right_wall[0> 470) {
            t_state = 0
        }
    };
    y = 0;
    for (y = 20; y > 0; y--) {
        left_wall[y] = left_wall[y - 1];
        right_wall[y] = right_wall[y - 1]
    };
    if (t_state == 0) {
        left_wall[0-= 3
    };
    if (t_state == 1) {
        left_wall[0+= 3
    };
    right_wall[0= left_wall[0+ BTunnelGame[_0x32bb[5]]();
    $(_0x32bb[19])[_0x32bb[18]](function (_0x8618x16) {
        $(this)[_0x32bb[15]](_0x32bb[29], _0x32bb[13+ left_wall[_0x8618x16] + _0x32bb[14])
    });
    $(_0x32bb[20])[_0x32bb[18]](function (_0x8618x16) {
        $(this)[_0x32bb[15]](_0x32bb[29], _0x32bb[13+ right_wall[_0x8618x16] + _0x32bb[14])
    });
    if (BTunnelGame[_0x32bb[5]]() >= 120) {
        c_w++;
        if (c_w > 100) {
            c_w = 0;
            BTunnelGame[_0x32bb[4]]();
            left_wall[0+= 10
        }
    };
    c_s++;
    if (c_s > 20) {
        c_s = 0;
        BTunnelGame.BincScore();
        $(_0x32bb[28])[_0x32bb[27]](_0x32bb[13+ BTunnelGame[_0x32bb[2]]())
    };
    if (ship_x <= left_wall[18+ 20 || ship_x + 32 >= right_wall[18]) {
        BTunnelGame[_0x32bb[0]]()
    };
    if (BTunnelGame[_0x32bb[1]]()) {
        setTimeout(_0x32bb[38], 10)
    } else {
        $(_0x32bb[30])[_0x32bb[39]](_0x32bb[31]);
        $(_0x32bb[19])[_0x32bb[15]](_0x32bb[16], _0x32bb[24]);
        $(_0x32bb[20])[_0x32bb[15]](_0x32bb[16], _0x32bb[24]);
        $[_0x32bb[44]]({
            type: _0x32bb[40],
            url: _0x32bb[41],
            data: _0x32bb[42+ token + _0x32bb[43+ BTunnelGame[_0x32bb[2]](),
            success: function (_0x8618x19) {
                showHighScores(_0x8618x19)
            }
        })
    }
};
function scoreUpdate() {
    return
};
function showHighScores(_0x8618x19) {
    $(_0x32bb[25])[_0x32bb[45]](_0x8618x19);
    $(_0x32bb[25])[_0x32bb[15]](_0x32bb[16], _0x32bb[17])
};
$(document)[_0x32bb[52]](function () {
    $(_0x32bb[46])[_0x32bb[15]](_0x32bb[16], _0x32bb[17]);
    updateToken();
    setInterval(_0x32bb[47], 10000);
    $(_0x32bb[46])[_0x32bb[26]](function () {
        $(_0x32bb[46])[_0x32bb[15]](_0x32bb[16], _0x32bb[24]);
        initTunnel();
        updateTunnel()
    });
    $(_0x32bb[50])[_0x32bb[49]](function () {
        $(this)[_0x32bb[45]](_0x32bb[48])
    });
    $(_0x32bb[50])[_0x32bb[51]](function () {
        $(this)[_0x32bb[45]](temp)
    })
});
var temp = _0x32bb[53];
$(document)[_0x32bb[55]](function (_0x8618x1d) {
    pos_x = _0x8618x1d[_0x32bb[54]] - rail_left
});
var token = _0x32bb[13];
function updateToken() {
    $[_0x32bb[57]](_0x32bb[56], function (_0x8618x20) {
        token = _0x8618x20
    })
};
cs

 

 

 

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
    if (BTunnelGame[_0x32bb[1]]()) {
        setTimeout(_0x32bb[38], 10)
    } else {
        $(_0x32bb[30])[_0x32bb[39]](_0x32bb[31]);
        $(_0x32bb[19])[_0x32bb[15]](_0x32bb[16], _0x32bb[24]);
        $(_0x32bb[20])[_0x32bb[15]](_0x32bb[16], _0x32bb[24]);
        $[_0x32bb[44]]({
            type: _0x32bb[40],
            url: _0x32bb[41],
            data: _0x32bb[42+ token + _0x32bb[43+ BTunnelGame[_0x32bb[2]](),
            success: function (_0x8618x19) {
                showHighScores(_0x8618x19)
            }
        })
    }
cs

 

점수와 관련된 코드를 찾았다.

 

언팩한 코드를 개발자 도구>콘솔 을 이용해서 재정의 한 뒤, 게임을 한 판 하고 변수의 내용을 확인해 보았다.

 

 

 

 

 

BtunnelGame[_0x32bb[2]]() 함수가 점수를 반환하는 함수임을 알 수 있다.

 

 

 

따라서 해당 함수 대신에 "31337"을 넣어서 js코드 재정의 후

 

게임을 하면, 점수를 전송하는 페이지에 점수가 31337로 들어가게 되고, key를 얻을 수 있게 된다.

 

 

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [DB is really GOOD] 풀이  (0) 2019.12.24
Wargame.kr [strcmp] 풀이  (0) 2019.12.24
Wargame.kr [md5 password] 풀이  (0) 2019.08.22
Wargame.kr [WTF_CODE] 풀이  (0) 2019.08.22
Wargame.kr [login filtering] 풀이  (0) 2019.08.22
반응형

alien

 

 

쿼리가 2개다.

 

query : select id from prob_alien where no=


 


query2 : select id from prob_alien where no=''

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/admin|and|or|if|coalesce|case|_|\.|prob|time/i'$_GET['no'])) exit("No Hack ~_~");
  $query = "select id from prob_alien where no={$_GET[no]}";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $query2 = "select id from prob_alien where no='{$_GET[no]}'";
  echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
  if($_GET['no']){
    $r = mysqli_fetch_array(mysqli_query($db,$query));
    if($r['id'!== "admin"exit("sandbox1");
    $r = mysqli_fetch_array(mysqli_query($db,$query));
    if($r['id'=== "admin"exit("sandbox2");
    $r = mysqli_fetch_array(mysqli_query($db,$query2));
    if($r['id'=== "admin"exit("sandbox");
    $r = mysqli_fetch_array(mysqli_query($db,$query2));
    if($r['id'=== "admin") solve("alien");
  }
  highlight_file(__FILE__);
?>
cs

 

음?

 

query와 query2의 차이는 no= 다음에 ''가 있냐 없냐의 차이

 

query를 실행해서 나온 id가 admin이 아니면 죽고, admin이어도 죽는다.

query2를 실행해서 나온 id가 admin이면 죽고, admin이면 문제가 풀린다.

 

 

.................................? 뭘까?

 

50%확률로 admin을 return하면 되는 것일까..

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

query와 query2를 모두 동일한 명령으로 만드는 법:

 

 

?no=1 union select 1#' union select '1

 

 

query : select id from prob_alien where no=1 union select 1#' union select '1

query2 : select id from prob_alien where no='1 union select 1#' union select '1'

 

query에서는 #앞에가 실행되고, 뒤는 주석처리

query2에서는 #이 ''안의 문자열로 취급, 뒤 실행

 

 

 

 

?no=1%20union%20select%20concat(lower(hex(10%2b(!sleep(1)%26%26now()%2=1))),%200x646d696e)%23%27%20union%20select%20concat(lower(hex(9%2b(!sleep(1)%26%26now()%2=1))),%200x646d696e)%23%20

현재 시간에 따라 0이 될 수도 있고 1이 될 수도 있고 이를 이용

시간으로 admin을 내보낼지 bdmin을 내보낼지를 정함.

sleep(1)을 사용하여 처음에 admin이 되면 다음은 무조건 bdmin이 되도록.

 

 

 

ALIEN Clear!

 

 

문제들이 너무 어렵다. 풀이 참고하면서 이런 기법들도 있구나 하고 알아가는 정도로 넘어가야 겠다..ㅠㅠ

처음 내가 생각했던 방향과 얼마나 일치하는지도 보고,,,

반응형
반응형

zombie

 

 

음 이전 문제랑 뭐가 달라졌을까..

1
2
3
4
5
6
7
8
9
10
11
12
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect("zombie");
  if(preg_match('/rollup|join|ace|@/i'$_GET['pw'])) exit("No Hack ~_~");
  $query = "select pw from prob_zombie where pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['pw']) echo "<h2>Pw : {$result[pw]}</h2>";
  if(($result['pw']) && ($result['pw'=== $_GET['pw'])) solve("zombie");
  highlight_file(__FILE__);
?>
cs

 

 

필터링 부분을 보면 ace를 필터링한다. 이는 replace을 필터링 하겠다는 것이다.

그래서 이전 문제에서 사용했던 페이로드를 사용할 수 없다..

 

+ 여전히 테이블은 텅텅 비어있다.

 

 

 

information_schema DB에 processlist 라는 테이블이 존재하는데, 해당 테이블의 INFO 칼럼에 이전에 실행했던 쿼리문이 저장되어있다고 한다.

 

 

 

' union select substr(info, 38, 72) from information_schema.processlist%23

 

 

ZOMBIE Clear!

 

 

 

반응형
반응형

ouroboros

 

우로보로스

 

 

 

와 소스코드가 짧아졌다!

1
2
3
4
5
6
7
8
9
10
11
12
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|rollup|join|@/i'$_GET['pw'])) exit("No Hack ~_~");
  $query = "select pw from prob_ouroboros where pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['pw']) echo "<h2>Pw : {$result[pw]}</h2>";
  if(($result['pw']) && ($result['pw'=== $_GET['pw'])) solve("ouroboros");
  highlight_file(__FILE__);
?>
cs

 

 

query : select pw from prob_ouroboros where pw='1' or pw like '%'

query : select pw from prob_ouroboros where pw='1' or 1=1#'

 

흠.. 테이블에 아무것도 없는 것 같다.

 

테이블에 직접 데이터를 넣어줘야 할 것 같다. (개꿀문제가 아니었어 ㅠㅠ)

 

 

 

 

 

 

예전에도 테이블이 텅텅빈 문제가 있었던 것 같은데.. 찾아봐야 겠다.

 

https://mandu-mandu.tistory.com/333

 

LORD OF SQL INJECTION [green_dragon] 풀이

green_dragon 녹색 용용이 소스를 보자. 쿼리를 두 번 실행한다. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

mandu-mandu.tistory.com

 

uinon을 사용하자!

 

 

 

query : select pw from prob_ouroboros where pw='1' union select 1#'


 

Pw : 1

 

 

 if(($result['pw']) && ($result['pw'] === $_GET['pw'])) solve("ouroboros");

근데 1' union slect 1%23 과 1을 어떻게 같게 하지..

 

 

 

 

 

Quine 이라는 것이 있다!

 

Quine Sql Injection

https://blog.rwx.kr/quine-sql-injection/

 

Quine SQL Injection - White Security

Quine SQL 이란 Quine 은 소스코드를 그대로 출력으로 반환하는 프로그램을 의미하는데위의 파이썬 소스코드를 참고하면 어떤 의미인지 쉽게 이해할 수 있을 것이다.이는 대부분의 언어로 작성되어 위키백과에 등재되어 있다. Quine SQL Query 마찬가지로 SQL 언어를 사용해 작성한 Quine 쿼리도 존재하는데, 위가 그 예이다. 여기서 필요없는 부분을 잘라내면 위와 같다. 이런 특성을 이용하여 SQL 인젝션에 응용할 수 있는데사용자 입력과 쿼리

blog.rwx.kr

 

 

?pw=1%27%20union%20SELECT%20REPLACE(REPLACE(%271"%20union%20SELECT%20REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$")%20AS%20Quine%23%27,CHAR(34),CHAR(39)),CHAR(36),%271"%20union%20SELECT%20REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$")%20AS%20Quine%23%27)%20AS%20Quine%23

 

 

 

OUROBOROS Clear!

 

 

 

https://www.shysecurity.com/post/20140705-SQLi-Quine

코게 문제에도 나왔었다고 한다.

 

반응형
반응형

https://wargame.infodsm.tech/

 

INFO WARGAME

Welcome to INFO WARGAME! Follow us on social media:  

wargame.infodsm.tech

 

Reversing

 

Very_Simple_Rev

150

 

아이다로 까서 문자열 보면 나온다.

반응형

+ Recent posts