[Level 25]Lord of SQL injection – umaru

Lord of SQL injection – umaru Level 25 Source Code <?php include “../config.php”; login_chk(); dbconnect(); function reset_flag(){ $new_flag = substr(md5(rand(10000000,99999999).”qwer”.rand(10000000,99999999).”asdf”.rand(10000000,99999999)),8,16); $chk = @mysql_fetch_array(mysql_query(“select id from prob_umaru where id='{$_SESSION[los_id]}'”)); if(!$chk[id]) mysql_query(“insert into prob_umaru values(‘{$_SESSION[los_id]}’,'{$new_flag}’)”); else mysql_query(“update prob_umaru set flag='{$new_flag}’ where id='{$_SESSION[los_id]}'”); echo “reset ok”; highlight_file(__FILE__); exit(); } if(!$_GET[flag]){ highlight_file(__FILE__); exit; } if(preg_match(‘/prob|_|\./i’, $_GET[flag])) exit(“No Hack ~_~”); …

[Level 22]Lord of SQL injection – dark_eyes

Lord of SQL injection – dark_eyes Level 22 Source Code <?php include “../config.php”; login_chk(); dbconnect(); if(preg_match(‘/prob|_|\.|\(\)/i’, $_GET[pw])) exit(“No Hack ~_~”); if(preg_match(‘/col|if|case|when|sleep|benchmark/i’, $_GET[pw])) exit(“HeHe”); $query = “select id from prob_dark_eyes where id=’admin’ and pw='{$_GET[pw]}'”; $result = @mysql_fetch_array(mysql_query($query)); if(mysql_error()) exit(); echo “<hr>query : <strong>{$query}</strong><hr><br>”; $_GET[pw] = addslashes($_GET[pw]); $query = “select pw from prob_dark_eyes where id=’admin’ and pw='{$_GET[pw]}'”; …

[Level 21]Lord of SQL injection – iron_golem

Lord of SQL injection – iron_golem Level 21 Source Code <?php include “../config.php”; login_chk(); dbconnect(); if(preg_match(‘/prob|_|\.|\(\)/i’, $_GET[pw])) exit(“No Hack ~_~”); if(preg_match(‘/sleep|benchmark/i’, $_GET[pw])) exit(“HeHe”); $query = “select id from prob_iron_golem where id=’admin’ and pw='{$_GET[pw]}'”; $result = @mysql_fetch_array(mysql_query($query)); if(mysql_error()) exit(mysql_error()); echo “<hr>query : <strong>{$query}</strong><hr><br>”; $_GET[pw] = addslashes($_GET[pw]); $query = “select pw from prob_iron_golem where id=’admin’ and pw='{$_GET[pw]}'”; …

[Level 20]Lord of SQL injection – dragon

Lord of SQL injection – dragon Level 20 Source Code <?php include “../config.php”; login_chk(); dbconnect(); if(preg_match(‘/prob|_|\.|\(\)/i’, $_GET[pw])) exit(“No Hack ~_~”); $query = “select id from prob_dragon where id=’guest’# and pw='{$_GET[pw]}'”; echo “<hr>query : <strong>{$query}</strong><hr><br>”; $result = @mysql_fetch_array(mysql_query($query)); if($result[‘id’]) echo “<h2>Hello {$result[id]}</h2>”; if($result[‘id’] == ‘admin’) solve(“dragon”); highlight_file(__FILE__); ?> Analyse http://los.sandbox.cash/dragon-~~.php?pw=123 이라고 입력하게 되면 select id from prob_dragon where …

[Level 19]Lord of SQL injection – xavis

Lord of SQL injection – xavis Level 19 Source Code <?php include “../config.php”; login_chk(); dbconnect(); if(preg_match(‘/prob|_|\.|\(\)/i’, $_GET[pw])) exit(“No Hack ~_~”); if(preg_match(‘/regex|like/i’, $_GET[pw])) exit(“HeHe”); $query = “select id from prob_xavis where id=’admin’ and pw='{$_GET[pw]}'”; echo “<hr>query : <strong>{$query}</strong><hr><br>”; $result = @mysql_fetch_array(mysql_query($query)); if($result[‘id’]) echo “<h2>Hello {$result[id]}</h2>”; $_GET[pw] = addslashes($_GET[pw]); $query = “select pw from prob_xavis where id=’admin’ …