IT보안관의 공부 클라우드

[los]giant 본문

워게임/los

[los]giant

ㅡㅡㅡㅡㄷ 2021. 6. 30. 19:51

query : select 1234 fromprob_giant where 1

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(strlen($_GET[shit])>1) exit("No Hack ~_~"); 
  if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit("HeHe"); 
  $query = "select 1234 from{$_GET[shit]}prob_giant where 1"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result[1234]) solve("giant"); 
  highlight_file(__FILE__); 
?>


1. strlen shit >1
2. preg_match : whitespace \n \r \t

코드를 보니 shit은 from 절에 들어감.
shit에 2글자 이상 입력하면 no hack

from 절이 붙어있어 sql 문이 실패함. 공백을 줘야함.
%0a %0b %0c %0d %09 중 %0b %0c로 성공

 

shit=%0b

저작자표시 비영리

'워게임 > los' 카테고리의 다른 글

[los]bugbear  (0) 2021.06.23
[los]golem  (0) 2021.06.18
[los]darkkinght  (0) 2021.06.13
[los]skeleton  (0) 2021.06.08
[los]vampire  (0) 2021.06.01
'워게임/los' Related Articles more
Comments