๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๋ฐ˜์‘ํ˜•

๐Ÿด‍โ˜ ๏ธ CTF ๐Ÿด‍โ˜ ๏ธ/โœˆ๏ธ ์›น โœˆ๏ธ

 (6)
[Dream Hack - Web] sql injection bypass WAF ๋ฌธ์ œ ํ•ด์„error based sql injection ๋ฌธ์ œ์™€ ๋‹ฌ๋ผ์ง„ ์  ์ค‘์ด ํฌ๊ฒŒ ๋‘๊ฐ€์ง€ ๋ณด์˜€๋‹ค.keywords์— ์žˆ๋Š” ๋ฌธ์ž์—ด์„ ํฌํ•จํ•˜๋Š” ๊ฒฝ์šฐ, SQL ๋ฌธ์ด ์‹คํ–‰๋˜์ง€ ์•Š๋Š”๋‹ค.keywords = ['union', 'select', 'from', 'and', 'or', 'admin', ' ', '*', '/']def check_WAF(data): for keyword in keywords: if keyword in data: return True return False๋” ์ด์ƒ ์—๋Ÿฌ๋ฌธ์„ ์ถœ๋ ฅํ•˜์ง€ ์•Š๋Š”๋‹ค.uid = request.args.get('uid') if uid: if check_WAF(uid): return 'your r..
[Dream Hack - Web] error based sql injection Error Based SQL Injection๊ณต๊ฒฉ์ž๊ฐ€ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ๋ฐœ์ƒํ•˜๋Š” ์—๋Ÿฌ ๋ฉ”์‹œ์ง€๋ฅผ ์ด์šฉํ•ด ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ ๊ตฌ์กฐ๋‚˜ ๋‚ด๋ถ€ ์ •๋ณด๋ฅผ ํš๋“ํ•˜๋Š” ๊ณต๊ฒฉ๊ธฐ๋ฒ•์ด๋‹ค. ๊ณต๊ฒฉ์ž๋Š” SQL ์ฟผ๋ฆฌ์˜ ์ทจ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ ์—๋Ÿฌ๋ฅผ ์œ ๋„ํ•˜๊ณ , ๊ทธ ์—๋Ÿฌ๋ฅผ ๋ถ„์„ํ•˜์—ฌ ์ •๋ณด๋ฅผ ์ถ”์ถœํ•œ๋‹ค. EXTRACTVALUE( {XML ํ˜•์‹์˜ ๊ฐ’}, {XPath ์กฐ๊ฑด์‹} )ํŠน์ •ํ•œ XPath ์กฐ๊ฑด์‹์„ ๊ธฐ๋ฐ˜์œผ๋กœ XML ๋ฌธ์„œ์—์„œ ๊ฐ’์„ ์ถ”์ถœํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋œ๋‹ค.- BOOK_XML ์–ด๋ฆฐ ์™•์ž ์•™ํˆฌ์•ˆ ๋“œ ์ƒํƒ์ฅํŽ˜๋ฆฌ 9,800  - ์˜ˆ์‹œ ์ฟผ๋ฆฌSELECT EXTRACTVALUE(BOOK_XML, '/STORE/BOOK/TITLE') FROM BOOK_LIST; - ์‹คํ–‰ ๊ฒฐ๊ณผ์–ด๋ฆฐ์™•์ž ํ’€์ด ๋ฐฉ๋ฒ• flag ๊ธธ์ด ๊ตฌํ•˜๊ธฐ' or extractvalue(1, c..
[Dream Hack - Web] csrf-2 ๋ฌธ์ œ ํ•ด์„/ ํŽ˜์ด์ง€@app.route("/")def index(): session_id = request.cookies.get('sessionid', None) try: username = session_storage[session_id] except KeyError: return render_template('index.html', text='please login') return render_template('index.html', text=f'Hello {username}, {"flag is " + FLAG if username == "admin" else "you are not an admin"}')์ฟ ํ‚ค์—์„œ session id๋ฅผ ํ™•์ธํ•˜๊ณ  ๊ทธ ๊ฐ’์— ๋”ฐ๋ผ..
[Dream Hack - Web] csrf-1 CSRF๋ž€?CSRF๋ž€, Cross Site Request Forgery์˜ ์•ฝ์ž๋กœ, ์‚ฌ์ดํŠธ๊ฐ„ ์š”์ฒญ ์œ„์กฐ๋ฅผ ๋œปํ•ฉ๋‹ˆ๋‹ค. CSRF๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ์ž์‹ ์˜ ์˜์ž์™€๋Š” ๋ฌด๊ด€ํ•˜๊ฒŒ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ํ–‰์œ„(๋ฐ์ดํ„ฐ ์ˆ˜์ •, ์‚ญ์ œ, ๋“ฑ๋ก ๋“ฑ)์„ ํŠน์ • ์›น์‚ฌ์ดํŠธ์— ์š”์ฒญํ•˜๋Š” ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค.์˜ˆ๋ฅผ ๋“ค์–ด, ํ”ผํ•ด์ž์˜ ์ „์ž ๋ฉ”์ผ ์ฃผ์†Œ๋ฅผ ๋ณ€๊ฒฝํ•˜๊ฑฐ๋‚˜ ์•”ํ˜ธ๋ฅผ ๋ณ€๊ฒฝํ•˜๊ฑฐ๋‚˜ ์ž๊ธˆ์ด์ฒด๋ฅผ ํ•˜๋Š” ๋“ฑ์˜ ๋™์ž‘์„ ์ˆ˜ํ–‰ํ•˜๊ฒŒ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜, ํŠน์„ฑ์— ๋”ฐ๋ผ ๊ณต๊ฒฉ์ž๋Š” ์‚ฌ์šฉ์ž์˜ ๊ณ„์ •์— ๋Œ€ํ•œ ์™„์ „ํ•œ ์ œ์–ด๊ถŒ์„ ์–ป์„ ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.์„œ๋ฒ„๋Š” ๋กœ๊ทธ์ธ ์‹œ ์ธ์ฆ๋œ ์‚ฌ์šฉ์ž์˜ ์ •๋ณด๋ฅผ ์„ธ์…˜(session)์— ์ €์žฅํ•˜๊ณ  ์ด์— ๋งค์นญ๋˜๋Š” ์„ธ์…˜ ์•„์ด๋””(session ID)์„ ๋งŒ๋“ ๋‹ค.์„œ๋ฒ„๋Š” ์ €์žฅ๋œ ์„ธ์…˜ ์ •๋ณด๋ฅผ ํด๋ผ์ด์–ธํŠธ(๋ธŒ๋ผ์šฐ์ €)๊ฐ€ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋„๋ก ์„ธ์…˜ ์•„์ด๋””๋ฅผ Set-Cookie ํ—ค๋”์— ๋‹ด์•„์„œ ์ „๋‹ฌํ•œ๋‹ค..
[Dream Hack - Web] xss-2 ๋ฌธ์ œ ํ•ด์„/vuln ํŽ˜์ด์ง€xss-1์—์„œ์™€ ๋‹ค๋ฅด๊ฒŒ script ์ฝ”๋“œ๊ฐ€ ๋™์ž‘ํ•˜์ง€ ์•Š๋Š”๋‹ค. /vuln ๋ผ์šฐํ„ฐ๋ฅผ ์‚ดํŽด๋ณด๋‹ˆ vuln.html ํŽ˜์ด์ง€๋ฅผ ๋ Œ๋”๋งํ•˜๊ณ  ์žˆ๋‹ค.@app.route("/vuln")def vuln(): return render_template("vuln.html"){% block content %} {% endblock %}์ฝ”๋“œ๋ฅผ ์‚ดํŽด๋ณด๋ฉด,location.search ⇒ URL ์ฟผ๋ฆฌ ๋ฌธ์ž์—ด ๋ถ€๋ถ„์„ ๋ฐ˜ํ™˜ํ•œ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, http://example.com?page=1¶m=test์ธ ๊ฒฝ์šฐ location.search๋Š” ?page=1&param=test ๊ฐ€ ๋œ๋‹ค.new URLSearchParams(location.search) ๋Š” ์ด ์ฟผ๋ฆฌ ๋ฌธ์ž์—ด์„ URLSearchParams ๊ฐ์ฒด..
[Dream Hack - Web] xss-1 ๋ฌธ์ œ ํ•ด์„/vuln ํŽ˜์ด์ง€/vuln ๋ผ์šฐํ„ฐ๋Š” ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ ๊ทธ๋Œ€๋กœ html์— ๋žœ๋”๋ง ํ•ด์ฃผ๊ธฐ ๋•Œ๋ฌธ์— XSS ์ทจ์•ฝ์ ์„ ๋ณด์œ ํ•˜๊ณ  ์žˆ๋‹ค.@app.route("/vuln")def vuln(): param = request.args.get("param", "") return param๊ทธ๋ž˜์„œ http://127.0.0.1:8000?param= ์„ ๋„˜๊ฒผ์„ ๋•Œ, ์•„๋ž˜์™€ ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ฝ”๋“œ๊ฐ€ ์‹คํ–‰๋˜๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค./memo ํŽ˜์ด์ง€ํŒŒ๋ผ๋ฏธํ„ฐ๋กœ ๋„˜๊ธด memo ๊ฐ’์— ๋Œ€ํ•ด ๊ณ„์† ์ด์–ด๋ถ™์—ฌ ๋‚˜๊ฐ€๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.@app.route("/memo")def memo(): global memo_text text = request.args.get("memo", "") memo_text += text + "..
๋ฐ˜์‘ํ˜•

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”