๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
728x90
๋ฐ˜์‘ํ˜•

๐ŸดCTF/OWASP Juice Shop5

OWASP Juice Shop - Database Schema Exfiltrate the entire DB schema definition via SQL Injection. ์ง์—ญํ•˜๋ฉด SQL Injection์„ ํ†ตํ•˜์—ฌ DB ์Šคํ‚ค๋งˆ์˜ ์ •์˜์–ด๋ฅผ ๊ฐ€์ ธ์˜ค๋ผ๋Š” ์˜๋ฏธ์ด๋‹ค. SQLi๋ฅผ ์‹œ๋„ํ•ด ๋ณผ ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ ๋ฒกํ„ฐ๋Š” ํฌ๊ฒŒ ๋กœ๊ทธ์ธ๊ณผ ์ƒํ’ˆ ๊ฒ€์ƒ‰ ๋‘ ๊ฐ€์ง€ ์—ˆ์ง€๋งŒ ๋กœ๊ทธ์ธ ๋ถ€๋ถ„์€ ์ผ๋‹จ SQLi๋ฅผ ํ†ตํ•ด ์›ํ•˜๋Š” ๊ฒฐ๊ณผ๋ฅผ ๊ฐ€์ ธ์˜ค์ง€ ๋ชปํ•˜๋ฏ€๋กœ ์ผ๋‹จ ํŒจ์Šคํ•˜์˜€๋‹ค. (๊ทธ๋ฆฌ๊ณ  ์ด๋Ÿฐ ๋ฌธ์ œ ์œ ํ˜•์˜ ๊ณต๊ฒฉ ๋ฒกํ„ฐ๋Š” ์ฃผ๋กœ ๊ฒ€์ƒ‰ ํŽ˜์ด์ง€์ธ ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์•˜์—ˆ๋‹ค.) ์ฃผ์ œ์™€๋Š” ์ƒ๊ด€ ์—†์ง€๋งŒ ๊ณ„์ • ํŽ˜์ด์ง€์—๋Š” ERROR BASED๋ฅผ ์ด์šฉํ•˜๋Š” ๋ธ”๋ผ์ธ๋“œ SQLi ๊ฐ€๋Šฅ์„ฑ์€ ์žˆ์—ˆ๋‹ค. jim@juice-sh.op' AND CASE WHEN (select 1 from Users where email='jim@juice-sh.op') THEN 1.. 2023. 9. 29.
OWASP Juice Shop - Login Admin (Injection) ๋งŒ์ผ ๋กœ๊ทธ์ธ ์ฟผ๋ฆฌ๋ฌธ์ด ์•„๋ž˜์™€ ๊ฐ™๋‹ค. SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL "admin@juice-sh.op' or '1'='1'--"๋ฅผ ์ž…๋ ฅํ•œ๋‹ค๋ฉด SELECT * FROM Users WHERE email = 'admin@juice-sh.op' or '1'='1'--' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL ์ฟผ๋ฆฌ๋ฌธ์˜ ๊ฒฐ๊ณผ๊ฐ€ ์ฐธ์ด ๋˜๋ฉด์„œ ๋กœ๊ทธ์ธ์ด ์„ฑ๊ณตํ•œ๋‹ค. 2023. 9. 27.
OWASP Juice Shop - 100kB๋ณด๋‹ค ํฐ ํŒŒ์ผ์„ ์˜ฌ๋ฆฌ์„ธ์š”. (Improper Input Validation) ๋‹ค์Œ๊ณผ ๊ฐ™์ด ํฌ๊ธฐ ๋ณ„๋กœ ๋‹ค๋ฅธ ํŒŒ์ผ์ด ์žˆ๋‹ค. ๊ฐ€์žฅ ํฐ ํŒŒ์ผ์€ 120KB (122,880 ๋ฐ”์ดํŠธ) ๊ฐ€์žฅ ์ž‘์€ ํŒŒ์ผ์€ 1๋ฐ”์ดํŠธ (1 ๋ฐ”์ดํŠธ) ์ค‘๊ฐ„์€ 97.6KB (100,000 ๋ฐ”์ดํŠธ) ํŒŒ์ผ ์—…๋กœ๋“œ๋Š” ์ตœ๋Œ€ 100 KB๊นŒ์ง€ ๊ฐ€๋Šฅํ•˜๋ฏ€๋กœ ๊ฐ€์žฅ ํฐ ํŒŒ์ผ์„ ์˜ฌ๋ฆฌ๋ฉด ์œ„์™€ ๊ฐ™์€ ์˜ค๋ฅ˜๊ฐ€ ๋œฌ๋‹ค. ๊ฐœ๋ฐœ์ž ๋„๊ตฌ์— Console ํƒญ์„ ํ™•์ธํ•˜๋ฉด fileSize์— ๊ด€๋ จ๋œ ์˜ค๋ฅ˜๊ฐ€ ๋œจ๊ฒŒ ๋œ๋‹ค. ํฌ๊ธฐ๊ฐ€ ํฐ ํŒŒ์ผ์„ ์˜ฌ๋ฆฌ๋ฉด ์ € ์˜ค๋ฅ˜ ๋ฌธ๊ตฌ๊ฐ€ ๋œจ์ง€๋งŒ ๊ทธ๋ ‡์ง€ ์•Š์œผ๋ฉด ๋œจ์ง€ ์•Š๋Š”๋‹ค. ์˜ค๋ฅ˜ ์›์ธ ํŒŒ์ผ์ธ vendor.js๋ฅผ ํ™•์ธํ•˜๋ฉด ํŒŒ์ผ์˜ ์ตœ๋Œ€ ์‚ฌ์ด์ฆˆ๋ฅผ ๋น„๊ตํ•˜๋Š” ๊ฒƒ ๊ฐ™์€ ํ•„ํ„ฐ ํ•จ์ˆ˜ ๋ถ€๋ถ„์ด ๋ณด์ธ๋‹ค. ์ด๊ฑธ ๋ณด์•˜์„ ๋•Œ๋Š” ์ตœ๋Œ€ ํฌ๊ธฐ ์‚ฌ์ด์ฆˆ์ธ์ง€ ๊ฒ€์ฆ์„ ํด๋ผ์ด์–ธํŠธ ์ธก์—์„œ ํ•˜๋Š” ๊ฒƒ์œผ๋กœ ๋ณด์ธ๋‹ค. ๊ทธ๋Ÿผ ์ € ๋ถ€๋ถ„์„ ์ˆ˜์ •ํ•˜๋ฉด 100 KB๊ฐ€ ๋„˜๋Š” ํŒŒ์ผ๋„ ์˜ฌ๋ ค ๋ณผ ์ˆ˜ ์žˆ์ง€ ์•Š์„.. 2023. 9. 27.
OWASP Juice Shop - ์ƒํ’ˆ ๋ฆฌ๋ทฐ ์กฐ์ž‘ (Broken Access Control) ๋‹ค์Œ์€ ํŠน์ • ์ œํ’ˆ์— ์ƒํ’ˆํ‰์„ ์ž‘์„ฑํ•˜๋Š” ํ™”๋ฉด์ด๋‹ค. ์ž„์˜๋กœ ์ƒํ’ˆํ‰ ๋‚ด์šฉ์„ ์ ๊ณ  ํ™•์ธ์„ ๋ˆ„๋ฅด๋ฉด ๋“ฑ๋ก์ด ๋˜๋Š” ๊ตฌ์กฐ์ด๋‹ค. ํŽ˜์ด๋กœ๋“œ๋ฅผ ํ™•์ธํ•˜๋ฉด author, message๋ฅผ ์ž…๋ ฅ๋ฐ›๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค. ๋ฒ„ํ”„์Šค์œ„ํŠธ๋ฅผ ์‹คํ–‰ํ•ด Interrupt๋ฅผ ๊ฑธ์–ด ์•„๋ž˜์˜ ํŽ˜์ด๋กœ๋“œ ์ค‘ author๋ฅผ "admin@juice-sh.op"๋กœ ์กฐ์ž‘ํ•œ๋‹ค. ๋ฆฌ๋ทฐ๋ฅผ ํ™•์ธํ•˜๋ฉด ์‹ค์ œ ๊ด€๋ฆฌ์ž(admin@juice-sh.op)๊ฐ€ ๋ฆฌ๋ทฐ๋ฅผ ๋‹จ ๊ฒƒ์ฒ˜๋Ÿผ ๋ชจ๋ฐฉํ•  ์ˆ˜ ์žˆ๋‹ค. OWASP TOP 10์— ๋“ฑ์žฌ๋œ ์ทจ์•ฝํ•œ ์ ‘๊ทผ ์ œ์–ด(Broken Access Control)์˜ ํ•œ ์˜ˆ์‹œ ๋ฌธ์ œ๋‹ค. 2023. 9. 27.
OWASP Juice Shop - ๋ฌธ์˜ํ•˜๊ธฐ Captcha Bypass (Broken Anti Automation) ๋ฌธ์˜ํ•˜๊ธฐ ํŽ˜์ด์ง€(/contact) ๊ตฌ์„ฑ๋„ ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ํ‰์ ๊ณผ ๋Œ“๊ธ€์„ ์ž…๋ ฅ๋ฐ›๋Š”๋ฐ ํ•˜๋‹จ์— CAPTCHA ์ธ์ฆ์ด ํ•„์š”ํ•˜๋‹ค. ์บก์ฑ  ์š”์ฒญ REST API ๊ตฌ์กฐ (/rest/captcha/) ์„œ๋ฒ„์—์„œ ๋ฏธ๋ฆฌ ์บก์ฑ ๋ฅผ ์ƒ์„ฑํ•˜๋Š” SSR ๋ฐฉ์‹์ด ์•„๋‹Œ ํด๋ผ์ด์–ธํŠธ๊ฐ€ ํŽ˜์ด์ง€์— ๋“ค์–ด์˜ค๋ฉด ์บก์ฑ ๋ฅผ ์š”์ฒญํ•˜๋Š” CSR ๋ฐฉ์‹์ž„์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค. ๋”ฐ๋ผ์„œ ํด๋ผ์ด์–ธํŠธ๊ฐ€ "http://localhost:3000/rest/captcha/"๋กœ GET์„ ์š”์ฒญํ•˜๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์€ ์‘๋‹ต์ด ์˜จ๋‹ค. {"captchaId":38,"captcha":"8*8-5","answer":"59"} ๋ณด๋‹ค์‹œํ”ผ ์บก์ฑ  ์•„์ด๋””, ๋ฌธ์ œ, ์ •๋‹ต์ด ๊ทธ๋Œ€๋กœ ์ „๋‹ฌ์ด ๋œ๋‹ค. ์บก์ฑ  ๊ฒ€์ฆ REST API ๊ตฌ์กฐ (/api/Feedbacks/) ์‚ฌ์šฉ์ž๊ฐ€ ์บก์ฑ ๋ฅผ ํ’€๊ณ  ์„œ๋ฒ„๋กœ๋ถ€ํ„ฐ ์š”์ฒญ์„ ํ•  ๋•Œ๋Š” "http:.. 2023. 9. 27.
728x90
๋ฐ˜์‘ํ˜•

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”