Order By Query (Exploit, MySQL, PHP)
Description
Your mission is to find out the Admins password. Please submit the uppercase md5 hash as solution.
You are given the source of the view scripts, also as highlighted version
Click here to see the script in action.
Good Luck.
You are given the source of the view scripts, also as highlighted version
Click here to see the script in action.
Good Luck.
GeSHi`ed php code for orderbyquery.include
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 32 33 34 3536 37 38 39 4041 42 43 44 4546 47 48 49 5051 52 53 54 5556 57 58 59 6061 62 63 64 6566 67 68 69 7071 72 73 74 7576 77 78 79 8081 82 83 84 8586 87 88 | <?php /** Create user table query, use that in mysql -------------------------------------------------------------------------- CREATE TABLE IF NOT EXISTS users(username VARCHAR(32) CHARACTER SET ascii COLLATE ascii_general_ci, password CHAR(32) CHARACTER SET ascii COLLATE ascii_bin, apples INT(10) UNSIGNED DEFAULT 0, bananas INT(10) UNSIGNED DEFAULT 0, cherries INT(10) UNSIGNED DEFAULT 0,PRIMARY KEY(username) ); -------------------------------------------------------------------------- */ ?> <?php /** * @return Database */function addslash2_get_db() { static $as2db = true; if ($as2db === true) { if (false === ($as2db = gdo_db_instance('localhost', ADDSLASH2_USERNAME, ADDSLASH2_PASSWORD, ADDSLASH2_DATABASE, GWF_DB_TYPE))) { echo htmlDisplayError('Can`t connect to database.'); } else { $as2db->setLogging(false); $as2db->setEMailOnError(false); } } return $as2db; }?> <?php /** * Output the nice score table*/ function addslash2_sort($orderby, $dir) { if (false === ($db = addslash2_get_db())) { return false; } static $whitelist = array(1, 3, 4, 5); static $names = array(1 => 'Username', 3 => 'Apples', 4 => 'Bananas', 5 => 'Cherries'); $dir = GDO::getWhitelistedDirS($dir, 'DESC'); if (!in_array($orderby, $whitelist)) { return htmlDisplayError('Error 1010101: Not in whitelist.'); } $orderby = $db->escape($orderby); $query = "SELECT * FROM users ORDER BY $orderby $dir LIMIT 10"; if (false === ($rows = $db->queryAll($query))) { return false; } $headers = array( array('#'), array('Username', '1', 'ASC'), array('Apples', '3', 'DESC'), array('Bananas', '4', 'DESC'), array('Cherries', '5', 'DESC'), ); echo '<div class="box box_c">'.PHP_EOL; echo '<table>'.PHP_EOL; echo GWF_Table::displayHeaders1($headers, GWF_WEB_ROOT.'challenge/order_by_query/index.php?by=%BY%&dir=%DIR%'); $i = 1; foreach ($rows as $row) { echo GWF_Table::rowStart(); echo sprintf('<td align="right">%d</td>', $i++); echo sprintf('<td>%s</td>', $row['username']); echo sprintf('<td align="right">%s</td>', $row['apples']); echo sprintf('<td align="right">%s</td>', $row['bananas']); echo sprintf('<td align="right">%s</td>', $row['cherries']); echo GWF_Table::rowEnd(); } echo '</table>'.PHP_EOL; echo '</div>'.PHP_EOL;} ?> |
© 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by Gizmore