Notice
Recent Posts
Recent Comments
Link
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 |
Tags
- 랜섬웨어
- node.js
- 백엔드개발자
- forensic
- 정보보안
- filesystem
- #C언어 #연산자
- elasticsearch
- software
- elk stack
- 침해사고
- Index
- 프론트엔드개발자
- Threat Intelligence
- exploit
- SQLMap
- Credential Access
- 시스템해킹
- sql인젝션
- rce
- windows
- #whitespace #
- wargame
- AD
- Mitre
- error 583066
- ATT&CK
- pwnable
- PetitPotam
- 가이드라인
Archives
- Today
- Total
Plit00's Story
[Websec.fr] Easy - Level19 본문
얼마 전 CTF에서 capcha와 관련 문제를 풀었는데 마침 엇비슷해 보이는 문제가 있어 풀어보았다.
<?php
session_start ();
include 'random.php';
include 'email.php';
include 'anti_csrf.php';
include 'captcha.php';
init_token ();
if (isset ($_POST['captcha']) and isset ($_SESSION['captcha'])) {
if ($_SESSION['captcha'] === $_POST['captcha']) {
check_and_refresh_token();
$email_addr = 'level19' . '@' . $_SERVER['HTTP_HOST']; // less hassle if we move to another domain
send_flag_by_email ($email_addr);
$message = "<p class='alert alert-success'>Password recovery email sent.</p>";
} else {
$message = "<p class='alert alert-danger'>Invalid captcha</p>";
}
} else {
$_SESSION['captcha'] = generate_random_text (255 / 10.0);
}
?>
<?php
$height = 64;
$width = 255;
function show_image () {
global $height;
global $width;
if (! isset ($_SESSION['captcha'])) {
die ('This is not how you are supposed to use it.');
}
$image = @imagecreatetruecolor ($width, 64) or die ("Cannot Initialize new GD image stream");
$bg = imagecolorallocate ($image, 255, 255, 255);
imagefill ($image, 0, 0, $bg);
imagecolordeallocate ($image, $bg);
for($i = 0; $i <= $width / 10.0; $i++) {
$color = imagecolorallocate ($image, rand (0, 128), rand (0, 128), rand (0, 128));
imagechar ($image, rand (1, 5), $i * rand (20, 40), rand (10, $height - 10), $_SESSION['captcha'][$i], $color);
imagecolordeallocate ($image, $color);
}
/* Yay, dots! */
for($i=0; $i < 1024; $i++) {
$color = imagecolorallocate ($image, rand (0, 255), rand (0, 255), rand (0, 255));
imagesetthickness ($image, rand (1, 5));
imagefilledellipse ($image, rand (0, $width), rand (0, $height), 3, 3, $color);
imagecolordeallocate ($image, $color);
}
/* Yay, lines! */
imagesetthickness ($image, 1);
for ($i=0; $i < 8; $i++) {
$color = imagecolorallocate ($image, rand (0, 255), rand (0, 255), rand (0, 255));
imageline($image, rand (0, $width), 0, rand (0, $width), $height, $color);
imagecolordeallocate ($image, $color);
}
/* Php doesn't offer a method to output images to a variable. */
ob_start ();
imagepng ($image);
$str_image = ob_get_contents ();
ob_end_clean ();
imagedestroy ($image);
return base64_encode ($str_image);
}
?>
<?php
function init_token() {
if ((! isset ($_SESSION['token'])) or empty ($_SESSION['token'])) {
$_SESSION['token'] = generate_random_text (32);
}
}
function check_and_refresh_token() {
if (! isset ($_POST['token'])) {
die ('Please sumbit the anti-csrf token.');
} elseif ( hash_equals ($_SESSION['token'], $_POST['token'])) {
$_SESSION['token'] = generate_random_text (32);
} else {
$_SESSION['token'] = generate_random_text (32);
die ('Invalid session token.');
}
}
?>
<?php
// https://secure.php.net/manual/en/function.srand.php#90215
srand (microtime (true));
function generate_random_text ($length) {
$chars = "abcdefghijklmnopqrstuvwxyz";
$chars .= "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$chars .= "1234567890";
$text = '';
for($i = 0; $i < $length; $i++) {
$text .= $chars[rand () % strlen ($chars)];
}
return $text;
}
이문제는 srand() 가 int를 사용하고 있고 , true로 생성된 float가 int로 변환된다.
이것을 통해서 브루트 포스를 생각할 수 있다.
<? php
function submit_captcha( $captcha, $csrf_token, $session) {
//$url = "-----";
$url = "http://websec.fr/level19/index.php";
$data = array('token'=>$csrf_token, 'captcha'=>$captcha);
$data = http_build_query($data);
$options = array(
'http'=>array(
'method'=>"POST",
'header'=>"Host:
"Accept-language: "
"Content-type: "
"Content-Length: "
"Cookie: PHPSESSID=" . $session . "\r\n" .
"User-Agent: ";
)
);
echo "built query";
?>
'Wargame > websec.fr' 카테고리의 다른 글
[Websec.fr] medium - level3 (0) | 2019.04.08 |
---|---|
[Websec.fr] medium - Level5 (0) | 2019.04.08 |
[Websec.fr] Easy - Level22 (0) | 2019.04.08 |
[Websec.fr] babystep - level17 (0) | 2019.03.25 |
[Websec.fr] babystep - level25 (0) | 2019.03.25 |
Comments