Troll

Simple bypass with string filter

Code

<?php  
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/\'/i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match("/admin/", $_GET[id])) exit("HeHe");
  $query = "select id from prob_troll where id='{$_GET[id]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['id'] == 'admin') solve("troll");
  highlight_file(__FILE__);
?>

Line 5: preg_match filters out single quotes.

Line 6: preg_match filters out the string 'admin'.

Line 7: Query is set to obtain user-supplied input and assign it to the "id" parameter.

Line 10: If 'id' is equal to "admin", the challenge will be solved.

Query

SELECT id FROM prob_troll WHERE id=''

Testing

Vulnerable parameter is "id".

Looking at line 5 in the code shows the pattern /\'/i, where the "i" means "case insensitive". The pattern /admin/ in line 6 does not include "i" and is "case sensitive", meaning it's looking for an exact match on the string "admin".

By changing any of the letters in the string to its capital equivalent, the challenge can be solved. ie: Admin, ADMIN, aDmIn

id=ADMIN

Effective Query

SELECT id FROM prob_troll WHERE id='ADMIN'

PreviousOrge NextVampire

Last updated 1 year ago