ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • Webhacking.kr :: old-25๋ฒˆ
    SECURITY/Webhacking 2021. 2. 2. 11:03

    ๋“ค์–ด๊ฐ€๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

     

     

    url ์„ ๋ณด๋‹ˆ hello.php ํŒŒ์ผ์„ ๋ฐ‘์— ์ถœ๋ ฅํ•ด์ฃผ๋Š” ๊ฒƒ ๊ฐ™๋‹ค.

    ์šฐ๋ฆฌ๊ฐ€ ์›ํ•˜๋Š”๊ฑด flag ํŒŒ์ผ์ด๋ฏ€๋กœ.. flag ๋ฅผ ์ž…๋ ฅํ•ด์ค€๋‹ค.

    (๊ทธ๋ฆฌ๊ณ  hello.php ๋ผ๊ณ  ์ž…๋ ฅํ•˜๋ฉด ์ถœ๋ ฅ์ด ์—†๋Š”๋ฐ hello ๋กœ ์ž…๋ ฅํ•˜๋ฉด ๋˜๋Š”๊ฑธ ๋ณด๋‹ˆ, ์ฝ”๋“œ ์ƒ์—์„œ url ์—์„œ ๋ฐ›์•„์˜จ file ๊ฐ’์— .php ๋ฅผ ๋ถ™์—ฌ์ฃผ๋Š” ๊ฒƒ์ด๋‹ค.)

     

     

    ์—ญ์‹œ...๋ฐ”๋กœ ๋œจ์ง„ ์•Š๋Š”๋‹ค.

    ๊ทผ๋ฐ php ๋ฌธ์ œ๋‹ˆ๊นŒ php Wrapper ๋ฅผ ์ด์šฉํ•˜๋ฉด ๋  ๊ฒƒ ๊ฐ™๋‹ค.

     

    * PHP Specific Vulnerability

    PHP ๋Š” include(), fopen(), copy() ์™€ ๊ฐ™์€ ํŒŒ์ผ ์‹œ์Šคํ…œ ํ•จ์ˆ˜์—์„œ URL style ํ”„๋กœํ† ์ฝœ์„ ์œ„ํ•œ wrapper ๋“ค์ด ์กด์žฌํ•˜๋Š”๋ฐ, ์ด๋ฅผ ์•…์šฉํ•˜๋Š” ๊ฒƒ์ด ์ด php ๋ผ๋Š” ์–ธ์–ด์  ํŠน์„ฑ์— ์˜ํ•ด ์ƒ๊ธฐ๋Š” ์ทจ์•ฝ์ ์ด๋‹ค.

    file://  - Accessing local filesystem

    php://  - ๋‹ค์–‘ํ•œ filter ์ด์šฉ ๊ฐ€๋Šฅ.

     

    ์•„๋งˆ ์ด ์ฝ”๋“œ๋Š” include ๊ฐ€ ์“ฐ์˜€์„ ๊ฒƒ์ด๊ณ , flag.php ์— flag ๊ฐ€ ์žˆ์œผ๋‚˜ ์•ˆ๋ณด์ด๋Š” ๊ฒƒ ๊ฐ™๋‹ค.

    ๊ทธ๋ž˜์„œ ํŒŒ์ผ ๋‚ด์šฉ์„ base64 ๋กœ ์ธ์ฝ”๋”ฉํ•ด์ฃผ๋Š” php wrapper ๋ฅผ ์ด์šฉํ•œ filter ๋ฅผ ์จ๋ณด๊ฒ ๋‹ค.

    php://filter/convert.base64-encode/resource=FILE_NAME

    ์ด๋Ÿฐ ์‹์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ณ , FILE_NAME ์˜ ํŒŒ์ผ ๋‚ด์šฉ์„ base 64 ๋กœ ์ธ์ฝ”๋”ฉํ•ด์ฃผ๋Š” ๊ฒƒ์ด๋‹ค.

     

     

    ์˜ˆ์ƒ๋Œ€๋กœ ๊ฐ’์ด ์ž˜ ๋‚˜์™”๊ณ , ์ด ๊ฐ’์„ decode ํ•ด์ฃผ๋ฉด

     

     

    flag ๊ฐ’์ด ๋‚˜์˜ค๊ณ , ์ด๊ฑธ Auth ์— ์ž…๋ ฅํ•ด์ฃผ๋ฉด ๋œ๋‹ค~

    ๋Œ“๊ธ€

Designed by Tistory.