$flag = "/flag.txt"; $id = $_POST['user_id']; $ps = $_POST['password']; mysql_connect("localhost","codegate","codegate"); mysql_select_db("codegate"); $id = mysql_real_escape_string($id); $ps = mysql_real_escape_string($ps); $ps = hash("whirlpool",$ps, true); $result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'"); $row = mysql_fetch_assoc($result); if (isset($row['user_id'])) { if ($row['user_id'] == "admin") { echo "hello, admin "; die(file_get_contents($flag)); } else { die("hello, ".$row['user_id']); } } else { msg("login failed.."); }The issue with code is that hash() function which outputs raw binary data leading to SQL injection.
string hash ( string $algo , string $data [, bool $raw_output = false ] ) raw_input: When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.To bypass the login, we need to find a value that when hashed with whirlpool results in string containing '='
Brute Force