Tags: sqli
Rating: 1.7
First Step
Get the "Lord Commander" password because he is the only user that have role = 'admin' using the bruter.py
Second Step
Bypass the vuln "if($password == $users['password']){" because it's not a strict equality
so after some researchs we found that :
md5('240610708') == '0e462097431906509019562988736854'
then php will compare the two hashes as numbers and our input will bypass the verification
Third Step
Login and get the flag \o/
The Script is a gem, but your write-up doesnt explain alot. Thanks for sharing
