ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • Webhacking.kr :: old-58๋ฒˆ
    SECURITY/Webhacking 2021. 2. 2. 15:44

    ์ฒ˜์Œ์—” ๋ญ”๊ฐ€ ๋กœ๋”ฉ์ค‘์ธ๊ฐ€ ํ–ˆ๋Š”๋ฐ ๋ฐ‘์— ์žˆ์—ˆ๋‹ค. 

     

     

    ๊ทธ๋ƒฅ ๋ฌด์ž‘์ • send ๋ฅผ ๋ˆŒ๋Ÿฌ๋ณด๋‹ˆ,

     

    ์ด๊ฒŒ ๋œฌ๋‹ค. command injection ์ธ ๊ฒƒ ๊ฐ™๋‹ค.

     

    script ๋ฅผ ํ™•์ธํ•ด๋ณด์ž.

    socket io ๋กœ ์„œ๋ฒ„์™€ ์†ก์ˆ˜์‹ ํ•˜๋Š” ๊ฒƒ์ด ๊ตฌํ˜„๋˜์–ด ์žˆ๋‹ค.

    socket.emit('Event', data); :: ์ „์†ก

    socket.on('Event', function(data)); :: ์ˆ˜์‹ 

     

    ์ฆ‰, socket.emit ์œผ๋กœ cmd ๋กœ username:[input] ์„ ์‹คํ–‰ํ•˜๋„๋ก ํ•˜๋Š” ๊ฒƒ์ด๋‹ค. (input ์ƒ์ž id ๊ฐ€ m ์ด๋‹ค.)

    ๊ทธ๋ฆฌ๊ณ  ๊ทธ ํ†ต์‹ ์œผ๋กœ ๋ฐ›์•„์˜จ data ๋ฅผ message ์— append ํ•ด์„œ ํ™”๋ฉด์— ๋ณด์—ฌ์ฃผ๋Š” ๊ฒƒ์ด๋‹ค.

     

    ์Œ ์ผ๋‹จ ls ๋ฅผ ์ž…๋ ฅํ•ด๋ณด๋ฉด, ๊ฒฐ๊ณผ๋Š” ์•„๋ž˜์™€ ๊ฐ™๋‹ค.

    index.js ์™€ temp.html ์ด ์žˆ๋‹ค..

     

    flag ๋ฅผ ์ž…๋ ฅํ•˜๋‹ˆ admin only ๊ฐ€ ๋œฌ๋‹ค.

    ์œ„์— script ์—์„œ socket ์œผ๋กœ data ๋ฅผ ๋ณด๋‚ผ ๋•Œ username ์ด guest ๋กœ ๋˜์–ด์žˆ์–ด์„œ flag ๋ฅผ ๋ณผ ์ˆ˜ ์—†๋Š” ์ƒํ™ฉ์ธ๋“ฏ.

    ๊ทธ๋ ‡๋‹ค๋ฉด username ์„ admin ์œผ๋กœ ํ•ด์„œ ๋ณด๋‚ด์ฃผ๋ฉด ๋œ๋‹ค.

     

    ์›๋ž˜ script ์ฝ”๋“œ๋ฅผ ๋ณต์‚ฌํ•ด์„œ username ์„ admin ์œผ๋กœ ๋ฐ”๊ฟ”์ฃผ๊ณ  console ์— ์ž…๋ ฅํ•ด์ค€๋‹ค.

     

     

    ๊ทธ๋Ÿฌ๋ฉด ์‚ฌ์šฉ์ž๊ฐ€ send ๋ฅผ ๋ˆ„๋ฅด๋ฉด ๊ธฐ์กด์˜ ์ •์˜๋œ ํ•จ์ˆ˜๋„ ์‹คํ–‰๋˜์ง€๋งŒ, ๋‚ด๊ฐ€ ์ •์˜ํ•œ ํ•จ์ˆ˜๋„ ์‹คํ–‰๋œ๋‹ค.

    ๊ทผ๋ฐ ๋‚˜๋Š” admin ์œผ๋กœ ๋ฐ”๊ฟ” ์ฃผ์—ˆ์œผ๋‹ˆ, flag ์„ ์ž…๋ ฅํ•˜๊ณ  send ํ•˜๋ฉด

    ๊ธฐ์กด์˜ ํ•จ์ˆ˜๋Š” admin only ๋ฅผ ์ถœ๋ ฅํ•˜์ง€๋งŒ, ์ƒˆ๋กœ ์ •์˜ํ•œ ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด FLAG ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค~

     

    ๊ฒฐ๊ณผ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. ์—ฌ๊ธฐ์— ๋‚˜์˜จ flag ๋ฅผ Auth ์— ์ž…๋ ฅํ•ด์ฃผ๋ฉด ๋!

    'SECURITY > Webhacking' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

    Webhacking.kr :: old-23๋ฒˆ  (0) 2021.02.15
    Webhacking.kr :: old-42๋ฒˆ  (0) 2021.02.02
    Webhacking.kr :: old-47๋ฒˆ  (0) 2021.02.02
    Webhacking.kr :: old-32๋ฒˆ  (0) 2021.02.02
    Webhacking.kr :: old-25๋ฒˆ  (0) 2021.02.02

    ๋Œ“๊ธ€

Designed by Tistory.