Webhacking.kr old-35 풀이

<?php
  include "../../config.php";
  if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 35</title>
<head>
<body>
<form method=get action=index.php>
phone : <input name=phone size=11 style=width:200px>
<input name=id type=hidden value=guest>
<input type=submit value='add'>
</form>
<?php
$db = dbconnect();
if($_GET['phone'] && $_GET['id']){
  if(preg_match("/\*|\/|=|select|-|#|;/i",$_GET['phone'])) exit("no hack");
  if(strlen($_GET['id']) > 5) exit("no hack");
  if(preg_match("/admin/i",$_GET['id'])) exit("you are not admin");
  mysqli_query($db,"insert into chall35(id,ip,phone) values('{$_GET['id']}','{$_SERVER['REMOTE_ADDR']}',{$_GET['phone']})") or die("query error");
  echo "Done<br>";
}

$isAdmin = mysqli_fetch_array(mysqli_query($db,"select ip from chall35 where id='admin' and ip='{$_SERVER['REMOTE_ADDR']}'"));
if($isAdmin['ip'] == $_SERVER['REMOTE_ADDR']){
  solve(35);
  mysqli_query($db,"delete from chall35");
}

$phone_list = mysqli_query($db,"select * from chall35 where ip='{$_SERVER['REMOTE_ADDR']}'");
echo "<!--\n";
while($r = mysqli_fetch_array($phone_list)){
  echo htmlentities($r['id'])." - ".$r['phone']."\n"; // html entiti 로 바꿈 guest-010
}
echo "-->\n";
?>
<br><a href=?view_source=1>view-source</a>
</body>
</html>

sql injection 문제이다. 

id에 admin만 들어오면 되는데 admin을 preg_match 하고있고 심지어 strlen(id)>5이면 exit한다.

id에서 뭘 하긴 어려울 것 같고 phone에서 무언갈 해야 할 것 같다.

insert문은 여러 정보를 동시에 삽입 가능하다. insert into ((val1),(val2)), ((val3),(val4)).....

그래서 phone에다가 0),('admin','내ip주소',010 

이렇게 입력해주면 solved 된다.