iloveflag-blog

wanna to see your hat? writeup

ctf
字数统计: 152阅读时长: 1 min
2018/09/20 Share

svn泄露,工具获得源码

在login发现sql注入,waf把’变成\

令人疑惑的是为什么要加一个\才能有结果,主要思考逻辑结构:

payload1:or 1=1#

单引号内都是当做字符串去查询

payload2:or 1=1#’

本地复现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php 
$dbServername="localhost";
$dbUser="root";
$dbPassword="";
$dbName="ctf";
$conn=mysqli_connect($dbServername,$dbUser,$dbPassword,$dbName);
$id=$_GET['id'];
$mysql="SELECT COUNT(*) FROM ctf where title='$id' or id='$id'";
echo $mysql."
";
$result=mysqli_query($conn,$mysql);
$row = mysqli_fetch_array($result);
print_r($row);
echo "
";
if($row[0]){
	echo "good job";
}else{
	echo "no";
}

原文作者:iloveflag

原文链接:https://iloveflag.github.io/2018/09/20/wanna-to-see-your-hat-writeup/

发表日期:September 20th 2018, 6:03:15 am

更新日期:February 14th 2025, 10:45:19 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
Total : 61
2023
2022
2021
2020
2019
2018
ctf 运维 rubbish pwn python