old-07 (300)

첫 화면이다.

view-source를 클릭해 본 코드는 아래와 같다.

<?php
  include "../../config.php";
  if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 7</title>
</head>
<body>
<?php
$go=$_GET['val'];
if(!$go) { echo("<meta http-equiv=refresh content=0;url=index.php?val=1>"); }
echo("<html><head><title>admin page</title></head><body bgcolor='black'><font size=2 color=gray><b><h3>Admin page</h3></b><p>");
if(preg_match("/2|-|\+|from|_|=|\\s|\*|\//i",$go)) exit("Access Denied!");
$db = dbconnect();
$rand=rand(1,5);
if($rand==1){
  $result=mysqli_query($db,"select lv from chall7 where lv=($go)") or die("nice try!");
}
if($rand==2){
  $result=mysqli_query($db,"select lv from chall7 where lv=(($go))") or die("nice try!");
}
if($rand==3){
  $result=mysqli_query($db,"select lv from chall7 where lv=((($go)))") or die("nice try!");
}
if($rand==4){
  $result=mysqli_query($db,"select lv from chall7 where lv=(((($go))))") or die("nice try!");
}
if($rand==5){
  $result=mysqli_query($db,"select lv from chall7 where lv=((((($go)))))") or die("nice try!");
}
$data=mysqli_fetch_array($result);
if(!$data[0]) { echo("query error"); exit(); }
if($data[0]==1){
  echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=\"alert('Access_Denied!')\"><p>");
}
elseif($data[0]==2){
  echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=\"alert('Hello admin')\"><p>");
  solve(7);
}
?>
<a href=./?view_source=1>view-source</a>
</body>
</html>

$data[0] 의 값이 2가 되면 문제는 풀린다.

그러기 위해선 $result 에 저장되는 값이 2가 되어야 하고, $go 와 대응되는 $_GET['val'] 을 조작해야 한다.

preg_match() 에 의해 필터링 되는 것을 피해 $_GET['val'] 을 0)union(select(ceil(1.5)))%23 으로 설정한다. (여기서 %23은 #과 대응되며, 주석이다.)

위의 방식대로 푼다면 rand(1,5) 의 값이 1이 될 때만 답이 되기 때문이다.

Previousold-06 (100)Nextold-08 (350)

Last updated 5 years ago

Was this helpful?

<?php include "../../config.php"; if($_GET['view_source']) view_source(); ?><html> <head> <title>Challenge 7</title> </head> <body> <?php $go=$_GET['val']; if(!$go) { echo("<meta http-equiv=refresh content=0;url=index.php?val=1>"); } echo("<html><head><title>admin page</title></head><body bgcolor='black'><font size=2 color=gray><b><h3>Admin page</h3></b><p>"); if(preg_match("/2|-|\+|from|_|=|\\s|\*|\//i",$go)) exit("Access Denied!"); $db = dbconnect(); $rand=rand(1,5); if($rand==1){ $result=mysqli_query($db,"select lv from chall7 where lv=($go)") or die("nice try!"); } if($rand==2){ $result=mysqli_query($db,"select lv from chall7 where lv=(($go))") or die("nice try!"); } if($rand==3){ $result=mysqli_query($db,"select lv from chall7 where lv=((($go)))") or die("nice try!"); } if($rand==4){ $result=mysqli_query($db,"select lv from chall7 where lv=(((($go))))") or die("nice try!"); } if($rand==5){ $result=mysqli_query($db,"select lv from chall7 where lv=((((($go)))))") or die("nice try!"); } $data=mysqli_fetch_array($result); if(!$data[0]) { echo("query error"); exit(); } if($data[0]==1){ echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=\"alert('Access_Denied!')\"><p>"); } elseif($data[0]==2){ echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=\"alert('Hello admin')\"><p>"); solve(7); } ?> <a href=./?view_source=1>view-source</a> </body> </html>