๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
Wargame/Web

[WebHacking.kr] Challenge 01

by STUDY SOOHYUN 2022. 9. 5.
728x90
๋ฌธ์ œ ํ™•์ธํ•˜๊ธฐ

 

 

 

Challenge ๋ฌธ์ œ๋ฅผ ๋ณด๋ฉด, ๊ฒ€์€ ํ™”๋ฉด์˜ ๋ชจ์Šต์„ ๋ณผ ์ˆ˜ ์žˆ์—ˆ์–ด์š”. view-source๋ฅผ ํด๋ฆญํ•ด๋ณผ๊ฒŒ์š”.

 

<?php
  include "../../config.php";
  if($_GET['view-source'] == 1){ view_source(); }
  if(!$_COOKIE['user_lv']){
    SetCookie("user_lv","1",time()+86400*30,"/challenge/web-01/");
    echo("<meta http-equiv=refresh content=0>");
  }
?>
<html>
<head>
<title>Challenge 1</title>
</head>
<body bgcolor=black>
<center>
<br><br><br><br><br>
<font color=white>
---------------------<br>
<?php
  if(!is_numeric($_COOKIE['user_lv'])) $_COOKIE['user_lv']=1;
  if($_COOKIE['user_lv']>=4) $_COOKIE['user_lv']=1;
  if($_COOKIE['user_lv']>3) solve(1);
  echo "<br>level : {$_COOKIE['user_lv']}";
?>
<br>
<a href=./?view-source=1>view-source</a>
</body>
</html>

 

๋‹ค์Œ๊ณผ ๊ฐ™์€ ์ฝ”๋“œ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ์—ˆ์–ด์š”. ์ด ์ฝ”๋“œ๋ฅผ ํ•ด์„ํ•˜๋ฉด ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•  ์ˆ˜ ์žˆ์„ ๊ฒƒ ๊ฐ™์•„์š”.

 

๋ฌธ์ œ ํ•ด๊ฒฐํ•˜๊ธฐ

 

์ €๋Š” HTML๋ฅผ ์ž˜ ๋ชจ๋ฅด์ง€๋งŒ, ๋‘ ๋ฒˆ์งธ PHP์ฝ”๋“œ๊ฐ€ ์ค‘์š”ํ•˜๋‹ค๋Š” ๊ฒƒ์„ ์ง๊ฐ์ ์œผ๋กœ ์•Œ์•˜์–ด์š”.

 

<?php
  if(!is_numeric($_COOKIE['user_lv'])) $_COOKIE['user_lv']=1;
  if($_COOKIE['user_lv']>=4) $_COOKIE['user_lv']=1;
  if($_COOKIE['user_lv']>3) solve(1);
  echo "<br>level : {$_COOKIE['user_lv']}";
?>

 

์œ„ ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด ๋ฐ˜๋ณตํ•ด์„œ ๋ณด์ด๋Š” COOKIE๊ฐ€ ๋ˆˆ์— ๋“ค์–ด์™”์–ด์š”. ์•„๋งˆ ์ฟ ํ‚ค ๊ฐ’์„ ๋ณ€์กฐํ•ด์„œ ํ•ด๊ฒฐํ•˜๋Š” ๋ฌธ์ œ ๊ฐ™์•„์š”. ์ดํ›„๋ถ€ํ„ฐ๋Š” ๊ณ ๋ฏผํ•˜๋‹ค๊ฐ€ ์„œ์น˜ํ•ด์„œ ํ•ด๊ฒฐํ–ˆ์–ด์š”.

 

[ ๊ณผ๊ฑฐ ๋ฌธ์ œ write-up ์„ ์ฐธ๊ณ ํ•ด์„œ ํ•ด๊ฒฐํ–ˆ์–ด์š”. ํ˜„์žฌ webhacking.kr ๋ฌธ์ œ์™€๋Š” ์•ฝ๊ฐ„ ๋‹ฌ๋ผ์š”. ]

 

์œ„ ์ฝ”๋“œ์—์„œ if๋ฌธ์„ ํ•ด์„ํ•ด๋ณผ๊ฒŒ์š”.

 

if(!is_numeric($_COOKIE['user_lv'])) $_COOKIE['user_lv']=1;

// ์ฟ ํ‚ค user_lv ๊ฐ’์ด ์ˆซ์ž๊ฐ€ ์•„๋‹ˆ๋ฉด user_lv ๊ฐ’์„ 1๋กœ ๋ฐ”๊ฟ”์š”.
if($_COOKIE['user_lv']>=4) $_COOKIE['user_lv']=1;

// ์ฟ ํ‚ค user_lv ๊ฐ’์ด 4 ์ด์ƒ์ด๋ฉด user_lv ๊ฐ’์„ 1๋กœ ๋ฐ”๊ฟ”์š”.
if($_COOKIE['user_lv']>3) solve(1);

// ์ฟ ํ‚ค user_lv ๊ฐ’์ด 3 ์ด์ƒ์ด๋ฉด ๋ฌธ์ œ๋ฅผ ํ’€ ์ˆ˜ ์žˆ์–ด์š”.

 

์œ„ ์กฐ๊ฑด๋ฌธ์„ ์กฐํ•ฉํ•ด๋ณด๋ฉด, user_lv ๊ฐ’์ด 3 < user_lv < 4 ์ด๋ ‡๊ฒŒ ๋˜์–ด์•ผ ํ•  ๊ฒƒ ๊ฐ™์•„์š”. ์ด์ œ ์ฟ ํ‚ค ๊ฐ’์„ ์ˆ˜์ •ํ•ด์ค„๊ฒŒ์š”.

 

Dev Tool ์ด์šฉํ•ด์„œ ์ฟ ํ‚ค ๊ฐ’ ์ˆ˜์ •ํ•˜๊ธฐ

 

 

 

ctrl + shift + i ๋˜๋Š” F12๋ฅผ ๋ˆŒ๋Ÿฌ์„œ Dev Tools(๊ฐœ๋ฐœ์ž ๋„๊ตฌ)๋ฅผ ์‹คํ–‰์‹œ์ผœ์ค„๊ฒŒ์š”.

 

 

 

์ดํ›„ Application → Cookies → user_lv Vaule ์ˆ˜์ •์„ ํ•ด์ฃผ๊ณ  ์ƒˆ๋กœ๊ณ ์นจ(F5)์„ ํ•ด์ฃผ๋ฉด ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•  ์ˆ˜ ์žˆ์–ด์š”.

 

์ €๋Š” ๋ฌธ์ œ๋ฅผ ๋‘ ๋ฒˆ ํ’€์—ˆ๋Š”๋ฐ์š”, ์ฒซ ๋ฒˆ์งธ๋Š” Dev Tool์„ ์ด์šฉํ•ด์„œ ํ•ด๊ฒฐํ–ˆ์ง€๋งŒ ๋‘ ๋ฒˆ์งธ๋กœ ํ’€ ๋•Œ๋Š” ๊ณ„์† ํ•ด๊ฒฐ๋˜์ง€ ์•Š์•˜์–ด์š”.

๊ทธ๋ž˜์„œ ๋‘ ๋ฒˆ์งธ ๋ฐฉ๋ฒ•๋„ ์ฐพ์•„๋ดค์–ด์š”.

 

EditThisCookie ์ด์šฉํ•ด์„œ ์ฟ ํ‚ค ๊ฐ’ ์ˆ˜์ •ํ•˜๊ธฐ

 

 

EditThisCookie

EditThisCookie๋Š” ์ฟ ํ‚ค ๊ด€๋ฆฌ์ž์ž…๋‹ˆ๋‹ค. ์ด๊ฒƒ์„ ์ด์šฉํ•˜์—ฌ ์ฟ ํ‚ค๋ฅผ ์ถ”๊ฐ€ํ•˜๊ณ , ์‚ญ์ œํ•˜๊ณ , ํŽธ์ง‘ํ•˜๊ณ , ์ฐพ๊ณ , ๋ณดํ˜ธํ•˜๊ฑฐ๋‚˜ ๋ง‰์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค!

chrome.google.com

 

์ €๋Š” Dev Tool๋กœ ํ•ด๊ฒฐ๋˜์ง€ ์•Š์•„์„œ ํฌ๋กฌ ํ™•์žฅ ํ”„๋กœ๊ทธ๋žจ์„ ์ด์šฉํ•ด์„œ ์ฟ ํ‚ค ๊ฐ’์„ ์ˆ˜์ •ํ–ˆ๋”๋‹ˆ ํ•ด๊ฒฐ๋˜์—ˆ์–ด์š”.

 

EditThisCookie๋ฅผ ๋‹ค์šด ๋ฐ›์œผ๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋ณผ ์ˆ˜ ์žˆ์–ด์š”.

 

 

 

์ด๋ ‡๊ฒŒ ์ˆ˜์ •ํ•ด์ค„๊ฒŒ์š”. ์ฒดํฌ ํ‘œ์‹œ ํด๋ฆญ ํ›„ ์ƒˆ๋กœ๊ณ ์นจ ํ•ด์ฃผ๋ฉด ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•  ์ˆ˜ ์žˆ์–ด์š”.

 

728x90
์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋ณ€๊ฒฝ๊ธˆ์ง€

'Wargame > Web' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[WebHacking.kr] WebHacking.kr ์‹œ์ž‘ํ•˜๊ธฐ  (0) 2022.08.26

๊ด€๋ จ๊ธ€

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”