관리 메뉴

Hax0r

[풀이] Webhacking.kr 34번 문제 본문

0x00 개발/Security

[풀이] Webhacking.kr 34번 문제

영준이 2017.06.01 11:44

34번 문제의 스코어는 400입니다.

스코어의 비해 문제의 난이도는 쉬운편에 속 합니다.


문제 페이지에 들어가면 "Wrong" 이라는 alert 이 발생한다.

코드를 살펴보면 아래와 같다.


첫 번째 스크립트


l1l = document.all;


var naa = true;


ll1 = document.layers;


lll = window.sidebar;


naa = !(l1l && ll1) && !(!l1l && !ll1 && !lll);


l11 = navigator.userAgent.toLowerCase();


function lI1(a) {

    return l11.indexOf(a) > 0 ? true : false;

}


lII = lI1("kht") | lI1("per");


naa |= lII;


O0O0 = new Array();


O0O0[0] = "<script>l1l=document.all;var naa=true;~1~ ~\r~~~layers~%~=win~\fw.sideb~;~~(!(~\bl&&~&)~J~F!~H~N~&~R~))~%1~'~vigator.us~0Ag~+.~`Low~0Ca~e(~Wfunction lI1~G1I){retur~|~\b1.~7~>xOf}}>0?~!~#:f~~e}~%II=~~}za'kht')|}$('p~0}*~B~|}#}!;O00O=new Arr~.~s}8}:O[0]='<script>}Wf(do}Sumen}[.URL}r}_}p}e}nxO~ \\''}8O}9}M~u|| };}MuYYvGUsPrTgKgtmIoOvIPKXjBJLVpjRT|\r|+}M~w~y~{ __'+'|9(|:|<}9}|\r};0}M%76%61|H2%20l%3|O3D\\167i|KEd|Y57w|PEo}0|Y6|O|L|TF|T|M3A|T0|TB|K6u|a|J63~y|a7|^|P|R|T3|P8|KC|T4|P9|H|v6{ 35|TD|P|n7A|Y4|M2Fg|u{\b|T|J|W|Y2|}|N|K9n{2Efro|K{4{68~|Y0{5F|`14{2{3|t2{\r3B|a{ 3{JD|S{K|e|i2{5|i0{I{1ce{{I|T{@C{N|J{E|u|i|{1r{{N{za{$156{S|i{za|Q%{|N}Dy{{\f|P{`|T{B{5";


O00O = "fu";


OO0O = "OWkhHnBHDQcdCEOiTtMpvSOQsnnl";


O00O += "nction __" + "__(_" + "O0){";


O0OO = "v%61r%20l%32%3Dwindow%2Eop%65%72a%3F%31%3A%30%3B%66uncti%6Fn%20l%33%28l%34%29%7Bl%35%3D%2Fza%2Fg%3Bl%36%3DS%74ring%2EfromChar%43%6Fd%65%28%30%29%3B%6C%34%3Dl%34%2E%72ep%6C%61ce%28l%35%2C%6C%36%29%3Bva%72%20l%37%3Dne%77%20Array%28%29%2C%6C%38%3D%5F%31%3Dl%34%2Elength%2Cl%39%2C%6CI%2C%69l%3D%31%36%32%35%36%2C%5F%31%3D%30%2C%49%3D%30%2Cli%3D%27%27%3Bdo%7Bl%39%3Dl%34%2E%63%68ar%43o%64e%41t%28%5F%31%29%3BlI%3Dl%34%2E%63ha%72Cod%65At%28%2B%2B%5F%31%29%3B%6C%37%5BI%2B%2B%5D%3DlI%2Bil%2D%28l%39%3C%3C%37%29%7Dwhile%28%5F%31%2B%2B%3Cl%38%29%3Bvar%20l%31%3D%6Eew";


O0O0[0] += "|n3|p{M{\n{P{m{ 65n{7|i4h{{{!3{\r2C{]4z{ 69{N{z{\"|T|V{3{b{ zza|o{|s{{Iz){Cz{|az|P{r{kB~\f{{N{F|Xzz{-|K3|a|t|l7{R1{:o{4{pzF|M7{ {A%z'z{c{G{Iz,{l5{JzOEz?z|LrCo{={?{91z{y2|vzizQz{{FB{jzQBz,zkzk5z{MztBi{]2{zP{|T{F{{{r{\r7Dwh|]yz {yzR{zj|v3{|3{zT{H|Z{f{h|Q{Nz}>|H7|D};}J]|3}N0lDzy)}lB}_2|}N)!=-1y8{y*~\fa}q}X}g}p}sh}U}m}`y;y6PyG}QyWw|1}9y'e~y[}<'FZcXBu~dy~xRnnGtwnQpYWDoMCqHSyxjkPYy[0y'l(~ves' xx |<ca}0|?|B)}|y^~xx(| |B}G}:}MVbOolLdFvrFXhHrDOXxBeCIQFh}CqvW}x mqtkNOVEjx}M|Dy\\|G|Q|rzD{(zCzyz{]z.|Wz {>5|dxS}C{X|HxX{zz{tzz-|p|V{Bz6|{z|t5zs{!zwz)5{zN|N~7|K{r{.{0{2{t3h{X{h{4|K{<{[{AI|S{cy\by!|K8il{Szhzz;~Yz}zo|Y~Yzzxl{}{dz<zxtz*xw|Ww{mz{Nxs{yzrw'{zw/x[z;zY|T{zaw&z.w(|vzzazz({G~yzBz&zw7{Jx{\be|zz\ftzz~wAy|[wz1wKyFx[zz<z'wBsy!itcw{zqw&w?zQzx:{Nzm|T|rz.w^wd|L|i{5{@|twqwx{w$w.xi{]w({yw<w5w\\zw>{'";


O00O += "eva";


OOOO = "bZbJgXimpgJiRythFtjyLqqcUrROoOnOcGro";


O00O += "l(unes" + "cape(_O0))}";


eval(O00O);


OO00 = "kwQajkuWQqsOeyJwaOOOOPWOqVUfOOUpWyvcVmbXgrOOR";


O00O = "";


O0OO += "%20Arra%79%28%29%2Cl%30%3D%6E%65w%20%41%72ra%79%28%29%2CI%6C%3D%31%32%38%3B%64o%7B%6C%30%5B%49l%5D%3D%53%74rin%67%2Efro%6DCh%61rCode%28Il%29%7Dwh%69le%28%2D%2DIl%29%3BIl%3D%31%32%38%3Bl%31%5B%30%5D%3Dli%3Dl%30%5Bl%37%5B%30%5D%5D%3B%6Cl%3Dl%37%5B%30%5D%3B%5Fl%3D%31%3B%76a%72%20%6C%5F%3Dl%37%2Elength%2D%31%3B%77hi%6Ce%28%5Fl%3Cl%5F%29%7B%73%77%69t%63%68%28l%37%5B%5Fl%5D%3CIl%3F%31%3A%30%29%7Bc%61%73e%20%30%20%3Al%30%5BIl%5D%3Dl%30%5Bll%5D%2B%53tr%69ng%28%6C%30%5Bl%6C%5D%29%2Esu%62str%28%30%2C%31%29%3Bl%31%5B%5Fl%5D%3Dl%30%5BIl%5D%3Bif%28%6C%32%29%7Bl%69%2B%3Dl%30%5BIl%5D%7D%3Bb%72ea";


OOO0 = "l";


O0O0[0] += "zD~7{,8x[w.{]yxw{c{-wuubwu~!{ywq{zn|uyw1wivzaw-zrz,vw4z1f{\\w$|Ow^{Ww+|PywHw'zs|Sxww{G|KzE|jea|1x#'ly#}I}Ky'y)}w}w}e}e}s}ZyYyY|;}yPy+}R}nyCyHy+}n}V}\\}cvNW}U~6g~)~N}O/~~~}]xPx}Mk{ 6z\b{66a|Hvzw[vxwoz|Mwh|nv%{v\"xtwgw>Fv4w3vw9v({Ax[v+yw/|]zk|Wxrw1vw:u\fwuv6w/v2v$z&zxu zpuv/zQ|}rwV6Ev v\ruw0uu*vzEwu|i{T{>2svzPvz(yv|Z|k5v}6|vu\"wzfz<zuyu#vz3uzlu { wiuQ|Hw4{){{byuOw8|U{z7uL2{[zNu<|N|zwfuDu:{m2zHv.u0zhz4xgyD{[{~e{{Q}v~|Nn{{\b|]wuMyv}xU{sy4wGz3tzU{>|{{v+w|]ux\\{9wVy{tzwx|tt|el~z\fzzAuuyufzpw{rv0z{zPt$x\\};zru/{\ru8u]|uz|t{~Ct.|KzJ{m7cu<|au={?~|ew{QwVzNw 8lOufw4y#0 t[t\\}MlJ~7Eyg|||||||||!|#|%|'|)|+|-|/wycyeygyiykymyoyqysyuW||9|9t\\ x|E~W|vt'gMbLfyNyvpLHa| sjDE| hImUePWluiSxIMSw_CcHpJNQHcJkZUIOUKZeRRDmSkxPtOwx4SPJOZsRmsoCGWnoBLGfwSiFxlVOsdTMTuKsOObYtMElXOqswkwUdVGdE~pMOQUq|</~~~>";


O0OO += "k%3Bde%66ault%3A%6C%31%5B%5Fl%5D%3Dl%30%5Bl%37%5B%5F%6C%5D%5D%3Bif%28l%32%29%7Bl%69%2B%3D%6C%30%5Bl%37%5B%5Fl%5D%5D%7D%3Bl%30%5BIl%5D%3Dl%30%5Bl%6C%5D%2BS%74ring%28l%30%5B%6C%37%5B%5Fl%5D%5D%29%2Es%75%62str%28%30%2C%31%29%3Bbre%61k%7D%3BIl%2B%2B%3Bll%3Dl%37%5B%5Fl%5D%3B%5F%6C%2B%2B%7D%3Bif%28%21l%32%29%7Bre%74%75rn%28l%31%2Ej%6Fin%28%27%27%29%29%7D%65%6Cse%7Bret%75rn%20li%7D%7D%3Bva%72%20lO%3D%27%27%3B%66or%28i%69%3D%30%3Bii%3CO%30O%30%2Elen%67th%3B%69i%2B%2B%29%7B%6CO%2B%3D%6C%33%28O%30O%30%5Bi%69%5D%29%7D%3Bi%66%28naa%29%7Bd%6Fcu%6De%6Et%2Ewrite%28lO%29%7D%3B";


OO00 = "RoxNlIkMOmOOWkhHnBHDQcdCEOiTtMpvSOQsnnlrbZbJgXimpgJiRythFtjyLqq";


____(O0OO);


OOO0 += "iDyZqTZVcfvUWakfMOsPeOSvGHFKsltOjiCGJyOldSwBXwDSOtKufLdbImGpuYuIBVSlKfOYexPgYdEwOaLbhqeOYZXOvEMnDCTXORmFveQTjPUdaNOxxOgtZpYsNjOOThVnOho";



두 번째 스크립트



l1l = document.all;


var naa = true;


ll1 = document.layers;


lll = window.sidebar;


naa = !(l1l && ll1) && !(!l1l && !ll1 && !lll);


l11 = navigator.userAgent.toLowerCase();


function lI1(a) {

    return l11.indexOf(a) > 0 ? true : false;

}


lII = lI1("kht") | lI1("per");


naa |= lII;


O00O = new Array();


O00O[0] = "<script>if(document.URL.indexO~ '";


OOO0 = "fu";


OO0O = "uYYvGUsPrTgKgtmIoOvIPKXjBJLVpjRT";


OOO0 += "nction __" + "__(_" + "O0){";


O0O0 = "%76%61%72%20l%32%3Dwi%6Edow%2Eoper%61%3F%31%3A%30%3B%66un%63tio%6E%20l%33%28%6C%34%29%7B%6C%35%3D%2F%7Aa%2Fg%3B%6C%36%3DSt%72%69ng%2Efro%6D%43%68arC%6Fde%28%30%29%3Bl%34%3Dl%34%2Ereplace%28l%35%2Cl%36%29%3Bv%61r%20l%37%3Dnew%20%41%72ray%28%29%2Cl%38%3D%5F%31%3Dl%34%2El%65ngth%2C%6C%39%2Cl%49%2C%69l%3D%31%36%32%35%36%2C%5F%31%3D%30%2CI%3D%30%2C%6Ci%3D%27%27%3Bdo%7Bl%39%3Dl%34%2E%63h%61%72CodeA%74%28%5F%31%29%3BlI%3Dl%34%2E%63h%61rCodeAt%28%2B%2B%5F%31%29%3Bl%37%5BI%2B%2B%5D%3DlI%2Bil%2D%28%6C%39%3C%3C%37%29%7Dwhi%6C%65%28%5F%31%2B%2B%3Cl%38%29%3Bv%61r%20l%31%3Dne%77";


O00O[0] += "0lDz0mBi2')!=-1){l~\fation.href='Passw";


OOO0 += "eva";


OOOO = "FZcXBuusyipxRnnGtwnQpYWDoMCqHSyxjkPY";


OOO0 += "l(unes" + "cape(_O0))}";


eval(OOO0);


O000 = "VbOolLdFvrFXhHrDOXxBeCIQFhrrqvWOfOOOmqtkNOVEj";


OOO0 = "";


O0O0 += "%20A%72%72%61%79%28%29%2Cl%30%3Dnew%20Arra%79%28%29%2C%49l%3D%31%32%38%3Bdo%7B%6C%30%5BI%6C%5D%3D%53%74%72in%67%2Efro%6D%43har%43%6Fde%28Il%29%7D%77%68ile%28%2D%2DIl%29%3BI%6C%3D%31%32%38%3Bl%31%5B%30%5D%3Dli%3Dl%30%5B%6C%37%5B%30%5D%5D%3B%6Cl%3Dl%37%5B%30%5D%3B%5Fl%3D%31%3Bvar%20%6C%5F%3Dl%37%2E%6Cength%2D%31%3Bw%68i%6Ce%28%5Fl%3Cl%5F%29%7Bs%77itc%68%28l%37%5B%5Fl%5D%3CIl%3F%31%3A%30%29%7Bc%61s%65%20%30%20%3Al%30%5B%49l%5D%3D%6C%30%5B%6Cl%5D%2B%53t%72ing%28l%30%5Bl%6C%5D%29%2Esubstr%28%30%2C%31%29%3Bl%31%5B%5Fl%5D%3Dl%30%5BI%6C%5D%3Bif%28l%32%29%7Bli%2B%3Dl%30%5BIl%5D%7D%3B%62rea";


OO00 = "l";


O00O[0] += "0RRdd.pww';}else{alert('Wr~6g~)~N</~~~>";


O0O0 += "k%3B%64%65%66a%75%6Ct%3A%6C%31%5B%5F%6C%5D%3Dl%30%5Bl%37%5B%5Fl%5D%5D%3B%69f%28l%32%29%7B%6Ci%2B%3D%6C%30%5B%6C%37%5B%5Fl%5D%5D%7D%3B%6C%30%5BI%6C%5D%3Dl%30%5Bll%5D%2B%53tri%6Eg%28l%30%5B%6C%37%5B%5Fl%5D%5D%29%2Esubstr%28%30%2C%31%29%3Bbr%65a%6B%7D%3BIl%2B%2B%3B%6C%6C%3Dl%37%5B%5Fl%5D%3B%5Fl%2B%2B%7D%3B%69f%28%21l%32%29%7B%72e%74u%72n%28l%31%2Ejoi%6E%28%27%27%29%29%7De%6Cse%7Bret%75%72n%20%6Ci%7D%7D%3Bva%72%20%6C%4F%3D%27%27%3Bf%6F%72%28ii%3D%30%3B%69i%3C%4F%30%30%4F%2Elength%3B%69i%2B%2B%29%7BlO%2B%3D%6C%33%28%4F%30%30O%5Bi%69%5D%29%7D%3Bif%28naa%29%7B%64ocument%2Ewri%74e%28lO%29%7D%3B";


O000 = "lJinEyguYYvGUsPrTgKgtmIoOvIPKXjBJLVpjRTwFZcXBuusyipxRnnGtwnQpYW";


____(O0O0);


OO00 += "gMbLfyNyvpLHaOOaOjDEOOhImUePWluiSNOMSBsCcHpJNQHcJkZUIOUKZeRRDmSkxPtOwDOSPJOZsRmsoCGWnoBLGfwSiFxlVOaOdTMTuKJOObYtMElXOqXOkwUdVGdECaMOQUq";


세 번째 스크립트


if (document.URL.indexOf("0lDz0mBi2") != -1) location.href = "Passw0RRdd.pww"; else alert("Wrong");



중점으로 세 번째 스크립트만 보면된다.



"document.URL.indexOf("0lDz0mBi2") != -1" 이 조건이 참이라면 "Passw0RRdd.pww" 로 리다이렉트하게되고, 거짓일시 "Wrong" alert을 띄어준다. 궁긍적으로 Passw0RRdd.pww 경로로 이동하면, 문제의 패스워드가 나오고 해당 패스워드를 auth 항목 기입하여 문제를 클리어할 수 있다.



저작자 표시 비영리 변경 금지
신고