[Level 11]Lord of SQL injection – golem

Lord of SQL injection – golem

Level 11


Source Code

<?php 
  include "../config.php"; 
  login_chk(); 
  dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
  highlight_file(__FILE__); 
?>

Analyse

http://los.sandbox.cash/golem-~~.php?pw=123 이라고 입력하게 되면
select id from prob_golem where id='guest' and pw='123' and 1=0과 같이 MySQL 쿼리문이 입력된다.
그리고 5번째 줄에서 ‘or’, ‘and’, ‘substr(‘, ‘=’이 필터링 되어있다.
 15번째 줄을 보면 &result['pw']에 admin의 pw가 들어가야만 golem문제가 풀린다.

Frist Hint is next page

카테고리LOS

글의 문제가 있다면 댓글을 달아 주세요.

This site uses Akismet to reduce spam. Learn how your comment data is processed.