IT보안관의 공부 클라우드

[los]vampire 본문

워게임/los

[los]vampire

ㅡㅡㅡㅡㄷ 2021. 6. 1. 21:22

query : select id from prob_vampire where id='' 

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/\'/i', $_GET[id])) exit("No Hack ~_~");
  $_GET[id] = strtolower($_GET[id]);
  $_GET[id] = str_replace("admin","",$_GET[id]); 
  $query = "select id from prob_vampire where id='{$_GET[id]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id'] == 'admin') solve("vampire"); 
  highlight_file(__FILE__); 
?>



1.preg_match : '
2.strtolower
3.str_replace $_GET[id]값이 admin이면 빈값으로 변경

' 이것만 차단됨. admin은 preg_match로 차단되어 있지 않음.
admin으로 연결되어 있는 문자열을 1회 치환함. -> ADadminMIN 이런식으로 우회가 가능함.

저작자표시 비영리

'워게임 > los' 카테고리의 다른 글

[los]darkkinght  (0) 2021.06.13
[los]skeleton  (0) 2021.06.08
[los]troll  (0) 2021.05.28
[los]orge  (0) 2021.05.25
[los]darkelf  (0) 2021.05.21
'워게임/los' Related Articles more
Comments