[Hackthissite] Realistic Missions 2

문제:

From: DestroyFascism Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful. 관리자로그인후 메시지를 등록!

their website 로 이동을 하게 되면 아래와 같은 소스를 볼수 있다.

<html>
<head>
<title>LONG LIVE THE AMERICAN NAZI PARTY</title>
</head>
<body bgcolor="#000000" text="#FFFFFF" link="#000000">
<table width=280 align="center" border=0 cellspacing=0 cellpadding=0>
  <tr>
  <td bgcolor="maroon"><center>
       <font face="verdana" color="white" size=4><b>WHITE</b></font>
     </center></td>
  <td bgcolor="maroon"><center>
       <br>
       <img src="logo.gif"><br>
       <br>
     </center></td>
  <td bgcolor="maroon"><center>
       <font face="verdana" size=4 color="white"><b>POWER</b></font>
     </center></td>
  </tr>
</table>
<center>
  <font face="verdana" size=4><b>JOIN THE AMERICAN NAZI PARTY<br>
  FIGHT FOR WHITE POWER</b></font>
</center>
<br>
<bR>
<table width=500 align="center" cellspacing=0 cellpadding=0 border=0>
  <tr>
  <td><b>Meeting July 18th</b> posted by WhiteKing<br>
     <hr color="white">
     The Chicago American Nazi Party will be meeting Thursday, July 18. Homophobes, racists and bigots unite!<br>
     <br>
     <b>RALLY AT INS BUILDING</b> posted by Jones<br>
     <hr color="white">
     PEOPLE ARE GETTING TOGETHER TO DISCUSS ORGANIZING AN ANTI-IMMIGRANT RALLY AT THE INS BUILDING. STAY TUNED FOR DETAILS...<br>
     <br></td>
  </tr>
</table>
<br>
<center>
  <a href="http://www.americannaziparty.com/support/gifs/wigger.gif"><img src="http://www.americannaziparty.com/support/gifs/wigger.gif" width=150></a>&nbsp;<a href="http://www.americannaziparty.com/support/gifs/beware.gif"><img src="http://www.americannaziparty.com/support/gifs/beware.gif" width=150></a>
</center>
<center>
  <a href="update.php"><font color="#000000">update</font></a>
</center>
<br>
</body>
</html>

관리자 로그인 페이지로 가기위해서 update.php페이지로 이동한다.

<html>
<head>
<title>update</title>
</head>
<body>
enter your username and password, white brother!<br>
<br>
<form action="update2.php" method="post">
  username<br>
  <input type="text" name="username">
  <br>
  <br>
  password<br>
  <input type="password" name="password">
  <br>
  <br>
  <input type="submit" name="log in">
</form>
</body>
</html>

이곳에서 관리자로 로그인하기 위해서 sql 인젝션을 사용한다.
sql인젝션에 대해서는 자료가 많이 공개되어 있기 때문에 찾아서 공부해서 이해했으면 좋겠다.

아이디 : ' or '1=1--' 입력후.. 로그인을 하면 성공 메시지가 나온다.



아직 많은 것을 모르고 기억해 두기위해 작성한 문서이기 때문에 많이 부족합니다.