BUU Ezsql
First connect to ssh. Enter your account password.
Go to /var/www/html
the directory, the source code is inside.
Mainly look at index.php
the documents.
<?php
error_reporting(0);
include 'dbConnect.php';
$username = $_GET['username'];
$password = $_GET['password'];
if (isset($_GET['username']) && isset($_GET['password'])) {
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = $mysqli->query($sql);
if (!$result)
die(mysqli_error($mysqli));
$data = $result->fetch_all(); // 从结果集中获取所有数据
if (!empty($data)) {
echo '登录成功!';
} else {
echo "用户名或密码错误";
}
}
?>
"SELECT * FROM users WHERE username = '$username' AND password = '$password'"
Obviously sql injection. There are two ways to repair it.
Method 1: Use addslashes() function to filter
The addslashes() function returns a string with backslashes added before predefined characters.
The predefined characters are:
- apostrophe(')
- Double quotes(")
- backslash(\)
- NULL
This function can be used to prepare strings for strings stored in the database and for database query statements.
Modified part of the code:
$username = $_GET['username'];
$password = $_GET['password'];
$username = addslashes($username);
$password = addslashes($password);
if (isset($_GET['username']) && isset($_GET['password'])) {
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
Method 2: Go to WAF
WAF source code:
$blacklist=['-','+','#','\"','\'','select','sleep',' '];
Modified part of the code:
$username = $_GET['username'];
$password = $_GET['password'];
$blacklist=['-','+','#','\"','\'','select','sleep',' '];
$username = str_replace($blacklist,'',$username);
$password = str_replace($blacklist,'',$password);
if (isset($_GET['username']) && isset($_GET['password'])) {
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
It seems that there is also function detection here, and it cannot directly preg_match
match the regular expression without executing if. So blacklist + character replacement is used.
Method 3: Preprocessing
Preprocessing is regarded as a common defense in SQL.
Original source code:
<?php
error_reporting(0);
include 'dbConnect.php';
$username = $_GET['username'];
$password = $_GET['password'];
if (isset($_GET['username']) && isset($_GET['password'])) {
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = $mysqli->query($sql);
if (!$result)
die(mysqli_error($mysqli));
$data = $result->fetch_all(); // 从结果集中获取所有数据
if (!empty($data)) {
echo '登录成功!';
} else {
echo "用户名或密码错误";
}
}
?>
mysql preprocessing (from master amiaaaz’s blog)
PDO preprocessing (from master amiaaaz’s blog)
After the repair is completed, access the route to the check address /check
.
After waiting for a while, access /flag
the route of the check address. Returning flag means the repair is successful.