[LOS] Golem ํ’€์ด(11)

11๋ฒˆ์งธ ๋ฌธ์ œ์ธ " golem " ๋ฌธ์ œ๋ฅผ ํ™•์ธํ•ด๋ณด๋ฉด 2๊ฐ€์ง€ ๊ฒ€์ฆ์ ˆ์ฐจ๋ฅผ ๊ฑฐ์น˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. if(preg_match('/prob|_|\.|\(\)/i', $_GET [pw])) exit("No Hack ~_~"); if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); ๊ฒ€์ฆํ•˜๊ณ  ์žˆ๋Š” ๋ฌธ๊ตฌ๋“ค์„ ํ™•์ธํ•ด๋ณด๋ฉด ์ฃผ๋กœ ์‚ฌ์šฉ๋˜๋Š” ์—ฐ์‚ฐ์ž์ธ " or, and, = " ๊ทธ๋ฆฌ๊ณ  ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•ด์ฃผ๋Š” ํ•จ์ˆ˜์ธ " substr " ๊นŒ์ง€ ๊ฒ€์ฆ์„ ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ „ ๋‹จ๊ณ„์˜ ๋ ˆ๋ฒจ์—์„œ๋Š” or์™€ and ์—ฐ์‚ฐ์ž ๋Œ€์ฒด ๊ธฐ๋ฒ•์„ ์‚ฌ์šฉํ–ˆ์ง€๋งŒ substr ํ•จ์ˆ˜๊นŒ์ง€ ์šฐํšŒํ•ด์•ผ ๋˜๋‹ˆ ์ข€ ๋” ๊นŒ๋‹ค๋กœ์›Œ์กŒ๋‹ค๊ณ  ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. $query = "select pw from prob_golem where id..

CHALLENGE
[LOS] ORC ํ’€์ด(4)

Lord of Sql injection์—์„œ " orc " ๋ ˆ๋ฒจ์˜ ๊ฒฝ์šฐ ์ „ ๋‹จ๊ณ„์—์„œ ์ง„ํ–‰ํ–ˆ๋˜ ๋ฐฉ์‹๋“ค๊ณผ๋Š” ๋‹ค๋ฅด๊ฒŒ ์ง„ํ–‰ํ•ด์•ผ ๋ฉ๋‹ˆ๋‹ค. ์šฐ์„  pw=' {$_GET[pw]}'"; ์„ ๋ณด๋‹ค์‹œํ”ผ ์ฟผ๋ฆฌ๋ฌธ์„ ์‚ฝ์ž…ํ•  ๋ณ€์ˆ˜์˜ ์ข…๋ฅ˜๋Š” ํ•œ ๊ฐœ์ด๋ฉฐ id='admin'์ด๋ผ๊ณ  ์„ ์–ธ์ด ๋˜์–ด์žˆ๋Š” ์ƒํƒœ์ž…๋‹ˆ๋‹ค. if(($result ['pw']) && ($result['pw'] == $_GET ['pw'])) solve("orc"); ํ•ด๋‹น ๋ฌธ์ œ๋ฅผ ํ•ด๊ฒฐํ•˜๋ ค๋ฉด ์†Œ์Šค์—์„œ ํ™•์ธ๋˜๋Š” ๊ฒƒ์ฒ˜๋Ÿผ $_GET ๋ฐฉ์‹์œผ๋กœ ๋…๊ฒจ ๋ฐ›์€ pw ๊ฐ’๊ณผ admin์˜ ์‹ค์ œ pw ๊ฐ’๊ณผ ๋™์ผํ•ด์•ผ ๋ฌธ์ œ ํ•ด๊ฒฐ์ด ๊ฐ€๋Šฅํ•  ๊ฒƒ์œผ๋กœ ๋ณด์ž…๋‹ˆ๋‹ค. $_GET [pw] = addslashes($_GET [pw]); ๋˜ํ•œ "addlslashes" ํ•จ์ˆ˜์— ์˜ํ•ด ์‹ฑ๊ธ€ ์ฟผํ„ฐ์— ๋Œ€ํ•œ ์กฐ์น˜๋ฅผ ํ•ด๋‘” ๊ฒƒ ๊ฐ™์€..

CHALLENGE