Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

gremlin

Kortsec1 2022. 4. 2. 15:43

 

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); // do not try to attack another table, database!
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  $query = "select id from prob_gremlin where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['id']) solve("gremlin");
  highlight_file(__FILE__);
?>

 

preg_match๋ฅผ ๋ณด๋ฉด ํ•„ํ„ฐ๋ง ๋˜๊ณ ์žˆ๋Š” ๋ฌธ์ž๋“ค์ด ์žˆ๋‹ค.

query์˜ id๋ถ€๋ถ„ ์ž‘์€ ๋”ฐ์˜ดํ‘œ๋ฅผ ๋‹ซ๊ณ , ๋’ค์˜ and pw๋ถ€๋ถ„์€ ์ฃผ์„์ฒ˜๋ฆฌํ•ด๋ณด๋ฉด

 

๊ทธ๋ฆผ1 ํ•ด๊ฒฐ

 

 

ํ’€๋ฆฐ๋‹ค.

sql์˜ ์ฃผ์„์€ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ์žˆ๋Š”๋ฐ

# ;%00 -- - /* */

์ƒํ™ฉ์— ๋งž๋Š” ๋ฐฉ์‹์„ ํƒํ•˜๋ฉด ๋œ๋‹ค.

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

wolfman  (0) 2022.04.02
orc  (0) 2022.04.02
goblin  (0) 2022.04.02
cobolt  (0) 2022.04.02

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€gremlin

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”