[los]vampire

query : select id from prob_vampire where id=''

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/\'/i', $_GET[id])) exit("No Hack ~_~");
  $_GET[id] = strtolower($_GET[id]);
  $_GET[id] = str_replace("admin","",$_GET[id]); 
  $query = "select id from prob_vampire where id='{$_GET[id]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id'] == 'admin') solve("vampire"); 
  highlight_file(__FILE__); 
?>

PHP

1.preg_match : '
2.strtolower
3.str_replace $_GET[id]값이 admin이면 빈값으로 변경

' 이것만 차단됨. admin은 preg_match로 차단되어 있지 않음.
admin으로 연결되어 있는 문자열을 1회 치환함. -> ADadminMIN 이런식으로 우회가 가능함.