{"id":36,"date":"2018-11-28T15:12:07","date_gmt":"2018-11-28T15:12:07","guid":{"rendered":"https:\/\/blog.rubiya.kr\/?p=36"},"modified":"2018-11-28T16:12:16","modified_gmt":"2018-11-28T16:12:16","slug":"webhacking-kr-stored-xss-vuln","status":"publish","type":"post","link":"https:\/\/blog.rubiya.kr\/index.php\/2018\/11\/28\/webhacking-kr-stored-xss-vuln\/","title":{"rendered":"webhacking.kr stored xss vuln"},"content":{"rendered":"<p><a href=\"http:\/\/webhacking.kr\/\" target=\"_blank\" rel=\"noopener\">webhacking.kr<\/a>\uc758 48\ubc88 \ubb38\uc81c (<a href=\"http:\/\/webhacking.kr\/challenge\/bonus\/bonus-12\/\" target=\"_blank\" rel=\"noopener\">http:\/\/webhacking.kr\/challenge\/bonus\/bonus-12\/<\/a> ) \ub294 \ud30c\uc77c \uc0ad\uc81c \uacfc\uc815\uc5d0\uc11c<br \/>\n\ubd88\ucda9\ubd84\ud55c \uc720\uc800 \uc785\ub825 \uac80\uc99d\uc73c\ub85c \uc778\ud55c OS command injection \uc744 \ub2e4\ub8e8\ub294 \ubb38\uc81c\uc785\ub2c8\ub2e4.<br \/>\n\ud574\ub2f9 \ubb38\uc81c \ub0b4\uc5d0\uc11c &#8220;\uc6b4\uc601\uc790\uac00 \uc758\ub3c4\ud558\uc9c0 \uc54a\uc740 \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud55c Stored XSS \uacf5\uaca9&#8221;\uc774 \uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n<ul>\n<li>get index.php&#8217;s source code<\/li>\n<\/ul>\n<p>\ubb38\uc81c \ub0b4\uc5d0\uc11c \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud558\uace0 \ucf54\uba58\ud2b8\ub97c \ub2ec\uac8c\ub418\uba74 \uc790\ub3d9\uc73c\ub85c \uc544\uc774\ucf58\uc774 \ucd94\uac00\ub429\ub2c8\ub2e4.<br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-46\" src=\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2018\/11\/1.png\" alt=\"\" width=\"328\" height=\"576\" \/><br \/>\n\ud574\ub2f9 \uc544\uc774\ucf58\uc740 \ub2c9\ub124\uc784\uc758 \uae38\uc774\uc5d0 \ub530\ub77c\uc11c 3.jpg, 4.jpg, 5.jpg \ub4f1\uc758 \uc774\ub984\uc744 \uac00\uc9c0\uac8c \ub429\ub2c8\ub2e4.<br \/>\n\uadf8\ub7f0\ub370 \uc5ec\uae30\uc11c <strong>1.jpg<\/strong>\uc5d0 \uc811\uadfc\uc744 \ud574\ubcf4\uba74 \ud30c\uc77c\uc774 \uae68\uc838 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-47 size-full\" src=\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2018\/11\/2.png\" alt=\"\" width=\"729\" height=\"335\" \/> \uac10\uc774\uc628\ub2e4 \uac10\uc774&#8230;!<br \/>\nview-source: \ub97c \ud574\ubcf4\uba74&#8230;<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-48 size-full\" src=\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2018\/11\/3.png\" alt=\"\" width=\"729\" height=\"407\" \/><br \/>\n\ud574\ub2f9 \ub514\ub809\ud1a0\ub9ac \ub0b4\uc758 \ubaa8\ub4e0 \ud30c\uc77c\uc774 \ub2f4\uaca8\uc788\uace0&#8230;<br \/>\n\uadf8\uc911\uc5d0\ub294 index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub3c4 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-49 size-full\" src=\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2018\/11\/4.png\" alt=\"\" width=\"730\" height=\"523\" \/><br \/>\n\ud68d\ub4dd\ud55c index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/red-velvet\/5eec2bcb736d0dc7827211b5ad8122a3.js\"><\/script><\/p>\n<p>\uc774 \uc2dc\uc810\uc5d0\uc11c \ubb50\uc57c \uc7a5\ub09c\ud558\ub0d0 \uc774\uac78 \uc5b4\ub5bb\uac8c \uc54c\uc544! \ub77c\uace0 \ud558\uc2e4 \uc218 \uc788\uc9c0\ub9cc&#8230;<br \/>\n\uc774\uac74 CTF \ucc4c\ub9b0\uc9c0\uac00 \uc544\ub2cc \ub9ac\uc5bc\uc6d4\ub4dc\uc5d0\uc11c \ud130\uc9c4 \ubc84\uadf8\uc785\ub2c8\ub2e4 \ud83d\ude42<\/p>\n<p>\uadf8\ub7fc \ub300\uccb4 \uc65c \uc774\ub7ec\ud55c \ud30c\uc77c\uc774 \uc0dd\uacbc\ub294\uc9c0 \uc0dd\uac01\ud574\ubd05\uc2dc\ub2e4.<br \/>\n\uc65c \ud558\ud544\uc774\uba74 1.jpg \uc77c\uae4c\uc694?<br \/>\n\ubcf4\ud1b5 bash\uc0c1\uc5d0\uc11c * \ub85c \ud30c\uc77c\uc744 \uc9c0\uce6d\ud560 \ub54c \uc22b\uc790 -&gt; \uc54c\ud30c\ubcb3\uc21c \uc73c\ub85c \ud30c\uc77c\uc744 \uc815\ub82c\ud569\ub2c8\ub2e4.<br \/>\n\uc6b4\uc601\uc790\ub2d8\uc774 \ud30c\uc77c\uc744 \ubc31\uc5c5\ud560 \uc77c\uc774 \uc0dd\uaca8 tar\ub85c \ubb36\uc744 \ub54c tar -cvf * \uc774\ub7f0\uc2dd\uc73c\ub85c \uc2e4\uc218\ub97c \ud588\ub2e4\uba74?<br \/>\n\ub514\ub809\ud1a0\ub9ac\uc5d0\uc11c \uac00\uc7a5 \uc55e\uc5d0 \uc788\ub294 1.jpg \ub97c \uc81c\uc678\ud55c \ub098\uba38\uc9c0 \ud30c\uc77c\ub4e4\uc744 \ubb36\uc5b4 1.jpg\uc5d0 write\ud558\uac8c \ub429\ub2c8\ub2e4.<br \/>\nls -al\uc744 \uce5c \ud6c4 \ud30c\uc77c \ud06c\uae30\uac00 \ubcc0\ud55c\uac78 \uc720\uc2ec\ud788 \ubcf4\uc9c0 \uc54a\ub294 \uc774\uc0c1 1.jpg\ub77c\ub294 <strong>\ud3ed\ud0c4<\/strong>\uc774 \uc0dd\uae34\uac78 \ub208\uce58\ucc44\uae34 \uc5b4\ub835\uc8e0.<br \/>\n\ub9ac\uc5bc\uc6d4\ub4dc\uc5d0\uc11c\ub3c4 \uad00\ub9ac\uc790\uc758 \uc2e4\uc218\ub85c \uc778\ud574 \ucda9\ubd84\ud788 \ubc1c\uc0dd\ud560 \uc218 \uc788\ub294 \ucde8\uc57d\uc810\uc774\uc9c0\ub9cc&#8230; \uc810\uac80\ud558\uae30\ub294 \uc27d\uc9c0\ub294 \uc54a\uaca0\uc9c0\uc694.<br \/>\n\uc544\ubb34\ud2bc \uc774\ub807\uac8c index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub97c \ud68d\ub4dd\ud588\uc2b5\ub2c8\ub2e4!<\/p>\n<ul>\n<li>SQL Injection<\/li>\n<\/ul>\n<p>\uc774 \ucc4c\ub9b0\uc9c0\uc758 \uc6d0\ub798 \ubbf8\uc158\uc774\uc600\ub358 OS command injection\uc740 <strong>;ls<\/strong> \ub77c\ub294 \ubb38\uc790\uc5f4\uc774 \ud558\ub4dc\ucf54\ub529\ub418\uc5b4\uc788\uc5b4(21\ub77c\uc778) \uc545\uc6a9\uc774 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4.<br \/>\n\uc774 \ud30c\uc77c\uc5d0\uc11c \ud130\uc9c8\ub9cc\ud55c \ucde8\uc57d\uc810\uc740 SQL Injection \ub9d0\uace0\ub294 \uc548\ubcf4\uc774\ub294\uad70\uc694.<br \/>\nmemo\ub97c \uc791\uc131\ud560\ub54c(34\ub77c\uc778) \ub9cc escape\ub97c \ud574\uc8fc\uace0 \ucd9c\ub825\ud560\ub54c\ub294 escape\ub97c \ud558\uc9c0 \uc54a\uae30\uc5d0 49\ub77c\uc778\uc5d0\uc11c Insert SQL Injection\uc744 \uc131\uacf5\ud558\uba74<br \/>\nStored XSS\uae4c\uc9c0 \uc545\uc6a9\uc774 \uac00\ub2a5\ud574\ubcf4\uc785\ub2c8\ub2e4.<\/p>\n<p>\uc774\uc81c 49\ub77c\uc778\uc744 \ub72f\uc5b4\ubd05\uc2dc\ub2e4.<br \/>\n<strong>$_SESSION[id]<\/strong>, <strong>$tm<\/strong>, <strong>$f<\/strong>, <strong>$_POST[memo]<\/strong> \ucd1d 4\uac1c\uc758 \ubcc0\uc218\uac00 \ucffc\ub9ac\ubb38\uc5d0 \ub3d9\uc801\uc73c\ub85c \ubc15\ud788\uba70,<br \/>\n$tm \ubcc0\uc218(36\ub77c\uc778)\ub97c \uc81c\uc678\ud558\uace0\ub294 \ubaa8\ub450 \uc6b0\ub9ac\uac00 \uc870\uc791\uc774 \uac00\ub2a5\ud55c \uac12\uc785\ub2c8\ub2e4.<br \/>\n\ud2b8\ub9ac\uac70\ud558\uae30\uc5d0 \uc544\uc8fc \uc801\ud569\ud558\uc8e0.<\/p>\n<p>\uba3c\uc800 $f \ubcc0\uc218\uc785\ub2c8\ub2e4.<br \/>\n\uc6b0\ub9ac\uac00 \uc5c5\ub85c\ub4dc\ud55c \ud30c\uc77c\uc758 \uc6d0\ub798 \uc774\ub984\uc744 \ubcc0\uc218\uba85\uc73c\ub85c \ub2f4\uc740 \ud6c4(32\ub77c\uc778) 3\uae00\uc790\ub97c \ub118\ub294\uc9c0 \uccb4\ud06c(40\ub77c\uc778)\ud569\ub2c8\ub2e4.<br \/>\n\uadf8 \ud6c4\uc5d0&#8230; \uc624 \ub9d9\uc18c\uc0ac \uc544\ubb34\ub7f0 \ud544\ud130\ub9c1\uc774 \uc5c6\uad70\uc694.<br \/>\nwebhacking.kr\uc740 <a href=\"http:\/\/php.net\/manual\/en\/info.configuration.php#ini.magic-quotes-gpc\" target=\"_blank\" rel=\"noopener\">magic_quotes_gpc=on<\/a> \uc124\uc815\uc774\uc9c0\ub9cc, $_FILES \ubcc0\uc218\ub294 magic_quotes_gpc\uc758 \uc601\ud5a5\uc744 \ubc1b\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<br \/>\n\uc6b0\ub9ac\ub294 \uadf8\ub0e5 \ud30c\uc77c\ub124\uc784\uc744 \\ \ub85c \uc124\uc815\ud574 \ucffc\ub9ac\uc758 \ubb38\ubc95\uc744 \ub9dd\uac00\ud2b8\ub9b0 \ud6c4\uc5d0 $_POST[memo] \ubcc0\uc218\uc5d0 <strong>,1),(1,2,3,4)#<\/strong> \ub77c\ub294 \uc2dd\uc73c\ub85c \uacf5\uaca9\uc744 \ud558\uba74 \ub05d\uc785\ub2c8\ub2e4.<br \/>\n\uadf8\ub9ac\uace0 \uc2f1\uae00\ubc99\uae00\ud558\uba70 \ud398\uc774\ub85c\ub4dc\ub97c \ub0a0\ub824\ubcf4\uba74&#8230; \uacf5\uaca9\uc5d0 \uc2e4\ud328\ud568\uc744 \uc54c \uc218 \uc788\uc2b5\ub2c8\ub2e4.<br \/>\n\uc18c\uc2a4\ucf54\ub4dc\uc640 \uc124\uc815\uc744 \ubaa8\ub450 \uace0\ub824\ud574\ubcf4\uba74 \uc131\uacf5\ud560 \uc218 \ubc16\uc5d0 \uc5c6\ub294 \ud398\uc774\ub85c\ub4dc\uc778\ub370 \uc2e4\ud328\ud588\uc73c\ub2c8&#8230;<br \/>\n\uc6b4\uc601\uc790\ub2d8\uc774 1.jpg\ub97c \ub9cc\ub4e0 \ud6c4\uc5d0 index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub97c \ucd94\uac00\uc801\uc73c\ub85c \ubcc0\uacbd\ud588\ub2e4\uace0\ubc16\uc5d0 \uc0dd\uac01\ud560 \uc218 \uc5c6\uad70\uc694.<br \/>\n$f \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud55c \uacf5\uaca9\uc740 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4.<br \/>\n\uc18c\uc2a4\ucf54\ub4dc\uc640\ub294 \ub2e4\ub974\uac8c \ud544\ud130\ub9c1\uc774 \ub418\uc5b4\uc788\uc2b5\ub2c8\ub2e4.<br \/>\n\uc5b5\uc6b8\ud558\uc9c0\ub9cc \ub2e4\ub978 \ubcc0\uc218\ub97c \ucc3e\uc544\ubd05\uc2dc\ub2e4.<\/p>\n<p>$_POST[memo] \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud574 \ucffc\ub9ac\ub97c \ub9dd\uac00\ud2b8\ub9ac\ub294\uac74&#8230; magic_quotes_gpc=on \uc124\uc815\uc774\ub2c8 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4.<br \/>\n\uadf8\ub7fc \ub0a8\uc740\uac74 $_SESSION[id] \ubcc0\uc218\ub124\uc694.<br \/>\n\uc0ac\uc2e4 \ud574\ub2f9 \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud574 \uacf5\uaca9\ud558\ub294 \uc81c\ub85c\ub370\uc774\ub97c \uc81c\uac00 \uc774\ubbf8 <a href=\"http:\/\/blog.rubiya.kr\/220500660102\" target=\"_blank\" rel=\"noopener\">\ube14\ub85c\uadf8<\/a>\uc5d0 \ud3ec\uc2a4\ud305\ud55c\uc801\uc774 \uc788\uc2b5\ub2c8\ub2e4.<br \/>\n\ud574\ub2f9 \ud3ec\uc2a4\ud305\uc758 \ud575\uc2ec\uc740&#8230; <strong>asdf&#8217;<\/strong> \ub77c\ub294 \uc544\uc774\ub514\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud558\uba74 $_SESSION[id] \ubcc0\uc218\uc5d0 <strong>asdf&#8217;<\/strong> \ub77c\ub294 \uc2a4\ud2b8\ub9c1\uc774 \uadf8\ub300\ub85c \ubc15\ud600<br \/>\n\uc138\uc158 \uc544\uc774\ub514\ub97c \uc0ac\uc6a9\ud558\ub294 \ucc4c\ub9b0\uc9c0 \ub0b4\uc5d0\uc11c Indirect SQL Injection\uc774 \uac00\ub2a5\ud558\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4.<br \/>\n\uadf8\ub7fc \uc6b0\ub9ac\ub294 <strong>rubiya&#8217;#<\/strong>\uc774\ub77c\ub294 \uc544\uc774\ub514\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud55c \ud6c4 $_POST[memo] \uc5d0 %0a \ub97c \uc0ac\uc6a9\ud574 \uc911\uac04\uc758 \ucffc\ub9ac\ub97c \uc8fc\uc11d\uc73c\ub85c \ucc98\ub9ac\ud574\uc8fc\uace0<br \/>\n\uadf8 \ud6c4\uc5d0 \ucffc\ub9ac\uc870\uc791\uc744 \ud558\uba74 \ub429\ub2c8\ub2e4.<br \/>\n$_POST[memo] \uc5d0 \uc2e4\uc81c\ub85c \ub123\ub294 \uac12\uc740&#8230;<br \/>\n<strong>%0a,999999999999,0&#215;41,0x3c7363726970743e616c6572742831293c2f7363726970743e)#<\/strong>(&lt;script&gt;alert(1)&lt;\/script&gt;\uc758 hex\uac12) \uc785\ub2c8\ub2e4.<br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-50 size-full\" src=\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2018\/11\/5.png\" alt=\"\" width=\"454\" height=\"139\" \/><br \/>\n\uc774\ub807\uac8c \ud574\uc11c webhacking.kr 48\ubc88 stored xss \uc131\uacf5\uc785\ub2c8\ub2e4!<\/p>\n<ul>\n<li>\ub367\ubd99\uc5ec&#8230;<\/li>\n<\/ul>\n<p>\uc0ac\uc11d\uc5d0\uc11c \uc790\uc8fc \ud558\ub294\ub9d0\uc774\uc9c0\ub9cc webhacking.kr \uc5d0\ub294 \uc544\uc9c1 \ud328\uce58\ub418\uc9c0 \uc54a\uc740 \ucde8\uc57d\uc810\uc774 5\uac1c \uc774\uc0c1 \uc874\uc7ac\ud569\ub2c8\ub2e4.<br \/>\n\ub610\ud55c <a href=\"https:\/\/www.wechall.net\/\" target=\"_blank\" rel=\"noopener\">wechall.net<\/a> \uc5d0 \ub4f1\ub85d\ub41c \uc6cc\uac8c\uc784 \uc911 10\uac1c \uc774\uc0c1\uc758 \uc6cc\uac8c\uc784\uc774 \ucde8\uc57d\uc810\uc744 \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4.<br \/>\n\ucde8\uc57d\uc810\uc744 \ucc3e\ub2e4\ubcf4\uba74 <strong>\ud574\ucee4<\/strong>\uc778 \uac1c\ubc1c\uc790\uac00 \uc5b4\ub5bb\uac8c \ud574\ucee4\ub85c\ubd80\ud130 \uc790\uc2e0\uc758 \uc0ac\uc774\ud2b8\ub97c \ubc29\uc5b4\ub97c \ud588\ub294\uc9c0, \uadf8 \uc0ac\uace0\uc758 \ud750\ub984\uc744 \ub530\ub77c\uac00\ub294\uac8c \uc544\uc8fc \uc7ac\ubbf8\uc788\ub354\ub77c\uad6c\uc694.<br \/>\n\uc5ec\ub7ec\ubd84\ub3c4 \uc6cc\uac8c\uc784 \uc0ac\uc774\ud2b8 \uc790\uccb4\uc758 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ubcf4\uc2dc\ub294\uac74 \uc5b4\ub5a4\uac00\uc694?<script>document.getElementsByClassName(\"gist\")[0].style=\"width:60%\";<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>webhacking.kr\uc758 48\ubc88 \ubb38\uc81c (http:\/\/webhacking.kr\/challenge\/bonus\/bonus-12\/ ) \ub294 \ud30c\uc77c \uc0ad\uc81c \uacfc\uc815\uc5d0\uc11c \ubd88\ucda9\ubd84\ud55c \uc720\uc800 \uc785\ub825 \uac80\uc99d\uc73c\ub85c \uc778\ud55c OS command injection \uc744 \ub2e4\ub8e8\ub294 \ubb38\uc81c\uc785\ub2c8\ub2e4. \ud574\ub2f9 \ubb38\uc81c \ub0b4\uc5d0\uc11c &#8220;\uc6b4\uc601\uc790\uac00 \uc758\ub3c4\ud558\uc9c0 \uc54a\uc740 \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud55c Stored XSS \uacf5\uaca9&#8221;\uc774 \uac00\ub2a5\ud569\ub2c8\ub2e4. get index.php&#8217;s source code \ubb38\uc81c \ub0b4\uc5d0\uc11c \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud558\uace0 \ucf54\uba58\ud2b8\ub97c \ub2ec\uac8c\ub418\uba74 \uc790\ub3d9\uc73c\ub85c \uc544\uc774\ucf58\uc774 \ucd94\uac00\ub429\ub2c8\ub2e4. \ud574\ub2f9 \uc544\uc774\ucf58\uc740 \ub2c9\ub124\uc784\uc758 \uae38\uc774\uc5d0 \ub530\ub77c\uc11c 3.jpg, 4.jpg, 5.jpg \ub4f1\uc758 \uc774\ub984\uc744 \uac00\uc9c0\uac8c \ub429\ub2c8\ub2e4. \uadf8\ub7f0\ub370 \uc5ec\uae30\uc11c 1.jpg\uc5d0 \uc811\uadfc\uc744 \ud574\ubcf4\uba74 \ud30c\uc77c\uc774 \uae68\uc838 \uc788\uc2b5\ub2c8\ub2e4. \uac10\uc774\uc628\ub2e4 \uac10\uc774&#8230;! view-source: \ub97c \ud574\ubcf4\uba74&#8230; \ud574\ub2f9 \ub514\ub809\ud1a0\ub9ac \ub0b4\uc758 \ubaa8\ub4e0 \ud30c\uc77c\uc774 \ub2f4\uaca8\uc788\uace0&#8230; \uadf8\uc911\uc5d0\ub294 index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \ud68d\ub4dd\ud55c index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4. \uc774 \uc2dc\uc810\uc5d0\uc11c \ubb50\uc57c \uc7a5\ub09c\ud558\ub0d0 \uc774\uac78 \uc5b4\ub5bb\uac8c \uc54c\uc544! \ub77c\uace0 \ud558\uc2e4 \uc218 \uc788\uc9c0\ub9cc&#8230; \uc774\uac74 CTF \ucc4c\ub9b0\uc9c0\uac00 \uc544\ub2cc \ub9ac\uc5bc\uc6d4\ub4dc\uc5d0\uc11c \ud130\uc9c4 \ubc84\uadf8\uc785\ub2c8\ub2e4 \ud83d\ude42 \uadf8\ub7fc \ub300\uccb4 \uc65c \uc774\ub7ec\ud55c \ud30c\uc77c\uc774 \uc0dd\uacbc\ub294\uc9c0 \uc0dd\uac01\ud574\ubd05\uc2dc\ub2e4. \uc65c \ud558\ud544\uc774\uba74 1.jpg \uc77c\uae4c\uc694? \ubcf4\ud1b5 bash\uc0c1\uc5d0\uc11c * \ub85c \ud30c\uc77c\uc744 \uc9c0\uce6d\ud560 \ub54c \uc22b\uc790 -&gt; \uc54c\ud30c\ubcb3\uc21c \uc73c\ub85c \ud30c\uc77c\uc744 \uc815\ub82c\ud569\ub2c8\ub2e4. \uc6b4\uc601\uc790\ub2d8\uc774 \ud30c\uc77c\uc744 \ubc31\uc5c5\ud560 \uc77c\uc774 \uc0dd\uaca8 tar\ub85c \ubb36\uc744 \ub54c tar -cvf * \uc774\ub7f0\uc2dd\uc73c\ub85c \uc2e4\uc218\ub97c \ud588\ub2e4\uba74? \ub514\ub809\ud1a0\ub9ac\uc5d0\uc11c \uac00\uc7a5 \uc55e\uc5d0 \uc788\ub294 1.jpg \ub97c \uc81c\uc678\ud55c \ub098\uba38\uc9c0 \ud30c\uc77c\ub4e4\uc744 \ubb36\uc5b4 1.jpg\uc5d0 write\ud558\uac8c \ub429\ub2c8\ub2e4. ls -al\uc744 \uce5c \ud6c4 \ud30c\uc77c \ud06c\uae30\uac00 \ubcc0\ud55c\uac78 \uc720\uc2ec\ud788 \ubcf4\uc9c0 \uc54a\ub294 \uc774\uc0c1 1.jpg\ub77c\ub294 \ud3ed\ud0c4\uc774 \uc0dd\uae34\uac78 \ub208\uce58\ucc44\uae34 \uc5b4\ub835\uc8e0. \ub9ac\uc5bc\uc6d4\ub4dc\uc5d0\uc11c\ub3c4 \uad00\ub9ac\uc790\uc758 \uc2e4\uc218\ub85c \uc778\ud574 \ucda9\ubd84\ud788 \ubc1c\uc0dd\ud560 \uc218 \uc788\ub294 \ucde8\uc57d\uc810\uc774\uc9c0\ub9cc&#8230; \uc810\uac80\ud558\uae30\ub294 \uc27d\uc9c0\ub294 \uc54a\uaca0\uc9c0\uc694. \uc544\ubb34\ud2bc \uc774\ub807\uac8c index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub97c \ud68d\ub4dd\ud588\uc2b5\ub2c8\ub2e4! SQL Injection \uc774 \ucc4c\ub9b0\uc9c0\uc758 \uc6d0\ub798 \ubbf8\uc158\uc774\uc600\ub358 OS command injection\uc740 ;ls \ub77c\ub294 \ubb38\uc790\uc5f4\uc774 \ud558\ub4dc\ucf54\ub529\ub418\uc5b4\uc788\uc5b4(21\ub77c\uc778) \uc545\uc6a9\uc774 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4. \uc774 \ud30c\uc77c\uc5d0\uc11c \ud130\uc9c8\ub9cc\ud55c \ucde8\uc57d\uc810\uc740 SQL Injection \ub9d0\uace0\ub294 \uc548\ubcf4\uc774\ub294\uad70\uc694. memo\ub97c \uc791\uc131\ud560\ub54c(34\ub77c\uc778) \ub9cc escape\ub97c \ud574\uc8fc\uace0 \ucd9c\ub825\ud560\ub54c\ub294 escape\ub97c \ud558\uc9c0 \uc54a\uae30\uc5d0 49\ub77c\uc778\uc5d0\uc11c Insert SQL Injection\uc744 \uc131\uacf5\ud558\uba74 Stored XSS\uae4c\uc9c0 \uc545\uc6a9\uc774 \uac00\ub2a5\ud574\ubcf4\uc785\ub2c8\ub2e4. \uc774\uc81c 49\ub77c\uc778\uc744 \ub72f\uc5b4\ubd05\uc2dc\ub2e4. $_SESSION[id], $tm, $f, $_POST[memo] \ucd1d 4\uac1c\uc758 \ubcc0\uc218\uac00 \ucffc\ub9ac\ubb38\uc5d0 \ub3d9\uc801\uc73c\ub85c \ubc15\ud788\uba70, $tm \ubcc0\uc218(36\ub77c\uc778)\ub97c \uc81c\uc678\ud558\uace0\ub294 \ubaa8\ub450 \uc6b0\ub9ac\uac00 \uc870\uc791\uc774 \uac00\ub2a5\ud55c \uac12\uc785\ub2c8\ub2e4. \ud2b8\ub9ac\uac70\ud558\uae30\uc5d0 \uc544\uc8fc \uc801\ud569\ud558\uc8e0. \uba3c\uc800 $f \ubcc0\uc218\uc785\ub2c8\ub2e4. \uc6b0\ub9ac\uac00 \uc5c5\ub85c\ub4dc\ud55c \ud30c\uc77c\uc758 \uc6d0\ub798 \uc774\ub984\uc744 \ubcc0\uc218\uba85\uc73c\ub85c \ub2f4\uc740 \ud6c4(32\ub77c\uc778) 3\uae00\uc790\ub97c \ub118\ub294\uc9c0 \uccb4\ud06c(40\ub77c\uc778)\ud569\ub2c8\ub2e4. \uadf8 \ud6c4\uc5d0&#8230; \uc624 \ub9d9\uc18c\uc0ac \uc544\ubb34\ub7f0 \ud544\ud130\ub9c1\uc774 \uc5c6\uad70\uc694. webhacking.kr\uc740 magic_quotes_gpc=on \uc124\uc815\uc774\uc9c0\ub9cc, $_FILES \ubcc0\uc218\ub294 magic_quotes_gpc\uc758 \uc601\ud5a5\uc744 \ubc1b\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4. \uc6b0\ub9ac\ub294 \uadf8\ub0e5 \ud30c\uc77c\ub124\uc784\uc744 \\ \ub85c \uc124\uc815\ud574 \ucffc\ub9ac\uc758 \ubb38\ubc95\uc744 \ub9dd\uac00\ud2b8\ub9b0 \ud6c4\uc5d0 $_POST[memo] \ubcc0\uc218\uc5d0 ,1),(1,2,3,4)# \ub77c\ub294 \uc2dd\uc73c\ub85c \uacf5\uaca9\uc744 \ud558\uba74 \ub05d\uc785\ub2c8\ub2e4. \uadf8\ub9ac\uace0 \uc2f1\uae00\ubc99\uae00\ud558\uba70 \ud398\uc774\ub85c\ub4dc\ub97c \ub0a0\ub824\ubcf4\uba74&#8230; \uacf5\uaca9\uc5d0 \uc2e4\ud328\ud568\uc744 \uc54c \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc18c\uc2a4\ucf54\ub4dc\uc640 \uc124\uc815\uc744 \ubaa8\ub450 \uace0\ub824\ud574\ubcf4\uba74 \uc131\uacf5\ud560 \uc218 \ubc16\uc5d0 \uc5c6\ub294 \ud398\uc774\ub85c\ub4dc\uc778\ub370 \uc2e4\ud328\ud588\uc73c\ub2c8&#8230; \uc6b4\uc601\uc790\ub2d8\uc774 1.jpg\ub97c \ub9cc\ub4e0 \ud6c4\uc5d0 index.php\uc758 \uc18c\uc2a4\ucf54\ub4dc\ub97c \ucd94\uac00\uc801\uc73c\ub85c \ubcc0\uacbd\ud588\ub2e4\uace0\ubc16\uc5d0 \uc0dd\uac01\ud560 \uc218 \uc5c6\uad70\uc694. $f \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud55c \uacf5\uaca9\uc740 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4. \uc18c\uc2a4\ucf54\ub4dc\uc640\ub294 \ub2e4\ub974\uac8c \ud544\ud130\ub9c1\uc774 \ub418\uc5b4\uc788\uc2b5\ub2c8\ub2e4. \uc5b5\uc6b8\ud558\uc9c0\ub9cc \ub2e4\ub978 \ubcc0\uc218\ub97c \ucc3e\uc544\ubd05\uc2dc\ub2e4. $_POST[memo] \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud574 \ucffc\ub9ac\ub97c \ub9dd\uac00\ud2b8\ub9ac\ub294\uac74&#8230; magic_quotes_gpc=on \uc124\uc815\uc774\ub2c8 \ubd88\uac00\ub2a5\ud569\ub2c8\ub2e4. \uadf8\ub7fc \ub0a8\uc740\uac74 $_SESSION[id] \ubcc0\uc218\ub124\uc694. \uc0ac\uc2e4 \ud574\ub2f9 \ubcc0\uc218\ub97c \uc0ac\uc6a9\ud574 \uacf5\uaca9\ud558\ub294 \uc81c\ub85c\ub370\uc774\ub97c \uc81c\uac00 \uc774\ubbf8 \ube14\ub85c\uadf8\uc5d0 \ud3ec\uc2a4\ud305\ud55c\uc801\uc774 \uc788\uc2b5\ub2c8\ub2e4. \ud574\ub2f9 \ud3ec\uc2a4\ud305\uc758 \ud575\uc2ec\uc740&#8230; asdf&#8217; \ub77c\ub294 \uc544\uc774\ub514\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud558\uba74 $_SESSION[id] \ubcc0\uc218\uc5d0 asdf&#8217; \ub77c\ub294 \uc2a4\ud2b8\ub9c1\uc774 \uadf8\ub300\ub85c \ubc15\ud600 \uc138\uc158 \uc544\uc774\ub514\ub97c \uc0ac\uc6a9\ud558\ub294 \ucc4c\ub9b0\uc9c0 \ub0b4\uc5d0\uc11c Indirect SQL Injection\uc774 \uac00\ub2a5\ud558\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4. \uadf8\ub7fc \uc6b0\ub9ac\ub294 rubiya&#8217;#\uc774\ub77c\ub294 \uc544\uc774\ub514\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud55c \ud6c4 $_POST[memo] \uc5d0 %0a \ub97c \uc0ac\uc6a9\ud574 \uc911\uac04\uc758 \ucffc\ub9ac\ub97c \uc8fc\uc11d\uc73c\ub85c \ucc98\ub9ac\ud574\uc8fc\uace0 \uadf8 \ud6c4\uc5d0 \ucffc\ub9ac\uc870\uc791\uc744 \ud558\uba74 \ub429\ub2c8\ub2e4. $_POST[memo] \uc5d0 \uc2e4\uc81c\ub85c \ub123\ub294 \uac12\uc740&#8230; %0a,999999999999,0&#215;41,0x3c7363726970743e616c6572742831293c2f7363726970743e)#(&lt;script&gt;alert(1)&lt;\/script&gt;\uc758 hex\uac12) \uc785\ub2c8\ub2e4. \uc774\ub807\uac8c \ud574\uc11c webhacking.kr 48\ubc88 stored xss \uc131\uacf5\uc785\ub2c8\ub2e4! \ub367\ubd99\uc5ec&#8230; \uc0ac\uc11d\uc5d0\uc11c \uc790\uc8fc \ud558\ub294\ub9d0\uc774\uc9c0\ub9cc webhacking.kr \uc5d0\ub294 \uc544\uc9c1 \ud328\uce58\ub418\uc9c0 \uc54a\uc740 \ucde8\uc57d\uc810\uc774 5\uac1c \uc774\uc0c1 \uc874\uc7ac\ud569\ub2c8\ub2e4. \ub610\ud55c wechall.net \uc5d0 \ub4f1\ub85d\ub41c \uc6cc\uac8c\uc784 \uc911 10\uac1c \uc774\uc0c1\uc758 \uc6cc\uac8c\uc784\uc774 \ucde8\uc57d\uc810\uc744 \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4. \ucde8\uc57d\uc810\uc744 \ucc3e\ub2e4\ubcf4\uba74 \ud574\ucee4\uc778 \uac1c\ubc1c\uc790\uac00 \uc5b4\ub5bb\uac8c \ud574\ucee4\ub85c\ubd80\ud130 \uc790\uc2e0\uc758 \uc0ac\uc774\ud2b8\ub97c \ubc29\uc5b4\ub97c \ud588\ub294\uc9c0, \uadf8 \uc0ac\uace0\uc758 \ud750\ub984\uc744 \ub530\ub77c\uac00\ub294\uac8c \uc544\uc8fc \uc7ac\ubbf8\uc788\ub354\ub77c\uad6c\uc694. \uc5ec\ub7ec\ubd84\ub3c4 \uc6cc\uac8c\uc784 \uc0ac\uc774\ud2b8 \uc790\uccb4\uc758 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ubcf4\uc2dc\ub294\uac74 \uc5b4\ub5a4\uac00\uc694?<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/36"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=36"}],"version-history":[{"count":14,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/36\/revisions"}],"predecessor-version":[{"id":86,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/36\/revisions\/86"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=36"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=36"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}