Skip to content

Latest commit

 

History

History
53 lines (45 loc) · 2.18 KB

los.rubiya.kr.md

File metadata and controls

53 lines (45 loc) · 2.18 KB

los.rubiya.kr

1.gremlin


  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); // do not try to attack another table, database!
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  $query = "select id from prob_gremlin where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "query :{$query}";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['id']) solve("gremlin");
  highlight_file(__FILE__);
 
解:查看代碼並沒有特殊過濾or和and所以用普通的'or 1=1 #或者admin ' #都可以或者'or ture -- 或 admin ' -- 輸入後會跳出GREMLIN Clear!就代表可以到下一關。

2.cobolt


include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|.|()/i', $GET[id])) exit("No Hack _"); if(preg_match('/prob||.|()/i', $_GET[pw])) exit("No Hack _"); $query = "select id from prob_cobolt where id='{$_GET[id]}' and pw=md5('{$_GET[pw]}')"; echo "query:{$query}"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id'] == 'admin') solve("cobolt"); elseif($result['id']) echo "Hello {$result['id']}You are not admin :("; highlight_file(FILE);

解:因為pw有md5過濾所以注入在id後'or 1=1 %23他會說you are not admin,那我們嘗試後面再加一個limit 1,1 %23,admin' # cobolt Clear!。

3.goblin


include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|.|()/i', $_GET[no])) exit("No Hack _"); if(preg_match('/'|"|`/i', $_GET[no])) exit("No Quotes _"); $query = "select id from prob_goblin where id='guest' and no={$_GET[no]}"; echo "query : {$query}"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo "Hello {$result[id]}"; if($result['id'] == 'admin') solve("goblin"); highlight_file(FILE);

解:看到注入點no那先測試看看no=1,顯示Hello guest並且過濾了'和"那就先讓no=0,再加上or no=1看看是不是Hello guest,確定是那試試看把no=2,goblin Clear!。