Skip to main content

vampire

1

We are provided with the SQL query:

SELECT id FROM prob_vampire WHERE id='{$_GET[pw]}'

This level uses the str_replace() function to replace admin with .

However this function is not recursive which means when we provide the following URI parameter:

?id=adadminmin

The application replaces admin, and our URI parameter becomes:

?id=admin

The resultant query then becomes:

SELECT id FROM prob_vampire WHERE id='admin'

2