Go in and asked us know anything about Vulcan Logic Dumper, then the following is a report false. We view the source code, and finally suggests the presence of our index.php.txt in the source code, did not talk much, try the direct access.
We appear a bunch of code that can not read yet
Compiled code is (see my tutorial on compiling another essay https://www.cnblogs.com/wosun/p/11386434.html )
We url incoming meet three conditions FLAG1 , 2 , 3 worth to the next instruction
By accessing 9430505317f54f8782ae992a1caa4c8ffa855302a5464c8a.changame.ichunqiu.com/1chunqiu.zip
To download the zip file
Open source is a pile of Web page files
In order to open found in login.php presence implantation
Wherein username present addslashes () process (single quotes, and the like will be preceded by a backslash backslash and escape, defense sql injection), there are the following single hurt and $ username = trim (str_replace ($ number, '', $ username)); so there can be injected.
The number value to 0 , username value to % 00 'error occurs (00%', through addslashes () after treatment (addslashes () will be added before the NULL \, 0 equals NULL) is \ 0 \ ')
Remove the 0 will become \\ 'Let's not single quote comment
The background of the implementation of the statement becomes select * from`users`where username = '\\' ' So will complain
Then according to the database information 1chunqiu.zip in config.inc.php to go step by step to get the query error flag
payload:%00'and updatexml(1,substr((select flag from flag),1,41),1)#
%00'and updatexml(1,substr((select flag from flag),11,41),1)#
The resulting two fragments were ligated together to give In Flag :
flag{dbb3004d-441c-46e2-9b07-588c6f75a882}