low
<?php
if(isset($_GET['login'])){
$user=$_GET['username'];
$pass=$_GET['password'];
$pass=md5($pass);
echo $user."<br>",$pass."<br>";
//链接数据库
$con = mysqli_connect("localhost","root","root","code");
if($con){
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($con,$query) or die(mysql_error());
if($result && mysqli_num_rows( $result ) >= 1){
echo "success";
}else {
echo "false";
}
// $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//or 前世true,不执行后,为什么要判断object
}
else{
echo "数据库链接失败";
}
if(!mysqli_close($con)){
echo mysqli_connect_error();
}
}
?>
medium
<?php
if(isset($_GET['login'])){
$con = mysqli_connect("localhost","root","root","code");
$user = mysqli_real_escape_string($con,$_GET['username']);
$pass = $_GET['password'];
$pass=md5($pass);
$pass = mysqli_real_escape_string($con,$pass);
echo $user."<br>",$pass."<br>";
//链接数据库
if($con){
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($con,$query) or die(mysql_error());
if($result && mysqli_num_rows( $result ) >= 1){
echo "success";
}else {
echo "false";
}
// $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//or 前世true,不执行后,为什么要判断object
}
else{
echo "数据库链接失败";
}
if(!mysqli_close($con)){
echo mysqli_connect_error();
}
}
?>
high
<?php
@session_start();
if(isset($_GET['login'])){
if($_GET['token'] == $_SESSION['token']){
unset($_SESSION['token']);
echo '合法提交';
}else{
echo '非法提交';
}
$con = mysqli_connect("localhost","root","root","code");
$user = mysqli_real_escape_string($con,$_GET['username']);
$pass = $_GET['password'];
$pass=md5($pass);
echo $pass;
$pass = mysqli_real_escape_string($con,$pass);
//echo $user."<br>",$pass."<br>";
//链接数据库
if($con){
$query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
$result = mysqli_query($con,$query) or die(mysql_error());
if($result && mysqli_num_rows( $result ) >= 1){
echo "success";
}else{
echo "false";
}
// $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
//or 前世true,不执行后,为什么要判断object
}
else{
echo "数据库链接失败";
}
if(!mysqli_close($con)){
echo mysqli_connect_error();
}
}
$token = md5(getrandcode());
$_SESSION['token'] = $token;
function getrandcode(){
return md5(time()."#$@%!^*".rand(100000,999999));
}
?>
brute
<?php
//自己修改要test的demo
include 'xxx.php'
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>form</title>
</head>
<body>
<form action='brute-high.php' method='GET'>
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="login" value="login">
<input type="hidden" name="token" value="<?php echo $token;?>"/>
</form>
</body>
</html>
PHP知识点
mysqli_connect()
mysql_error()
mysqli_num_rows()
mysqli_fetch_assoc()
mysqli_real_escape_string() 转义字符串中的特殊字符
mysqli_query()执行SQL语句
stripslashes() 函数删除反斜杠
数据库字段插入数据
insert into users value(2,'123',"202cb962ac59075b964b07152d234b70");
参考链接
PHP基于Token的身份验证的方法