zoukankan      html  css  js  c++  java
  • 【实验吧】CTF_Web_因缺思汀的绕过

    打开页面,查看源代码,发现存在source.txt(http://ctf5.shiyanbar.com/web/pcat/source.txt),如下:

    <?php
    error_reporting(0);
    if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
        echo '<form action="" method="post">'."<br/>";
        echo '<input name="uname" type="text"/>'."<br/>";
        echo '<input name="pwd" type="text"/>'."<br/>";
        echo '<input type="submit" />'."<br/>";
        echo '</form>'."<br/>";
        echo '<!--source: source.txt-->'."<br/>";
        die;
    }
    function AttackFilter($StrKey,$StrValue,$ArrReq){  
        if (is_array($StrValue)){
    //检测变量是否是数组
            $StrValue=implode($StrValue);
    //返回由数组元素组合成的字符串
        }
        if (preg_match("/".$ArrReq."/is",$StrValue)==1){   
    //匹配成功一次后就会停止匹配
            print "水可载舟,亦可赛艇!";
            exit();
        }
    }
    $filter = "and|select|from|where|union|join|sleep|benchmark|,|(|)";
    foreach($_POST as $key=>$value){ 
    //遍历数组
        AttackFilter($key,$value,$filter);
    }
    $con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
    if (!$con){
        die('Could not connect: ' . mysql_error());
    }
    $db="XXXXXX";
    mysql_select_db($db, $con);
    //设置活动的 MySQL 数据库
    $sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
    $query = mysql_query($sql); 
    //执行一条 MySQL 查询
    if (mysql_num_rows($query) == 1) { 
    //返回结果集中行的数目
        $key = mysql_fetch_array($query);
    //返回根据从结果集取得的行生成的数组,如果没有更多行则返回 false
        if($key['pwd'] == $_POST['pwd']) {
            print "CTF{XXXXXX}";
        }else{
            print "亦可赛艇!";
        }
    }else{
        print "一颗赛艇!";
    }
    mysql_close($con);
    ?>

    由源码分析,必须满足一下条件:
    1. $filter = "and|select|from|where|union|join|sleep|benchmark|,|(|)" 过滤了关键字
    2. if (mysql_num_rows($query) == 1) 返回数据为1条
    3. if($key['pwd'] == $_POST['pwd']) 传入的pwd和查询出来的结果一致

    不适用条件1即可完成。

    limit 2 offset 3 中,2表示返回2行,3表示从表的第4行开始,如下图(建表及插入语句见http://www.cnblogs.com/caizhiren/p/7768936.html):

    1' or 1 含义如下:

    Group by with rollup 会在最后多计算一个总数(http://blog.csdn.net/id19870510/article/details/6254358)

    mysql> select * from user where name = 'admin' or 1 group by name with rollup limit 1 offset 0;

    回到本题,输入'1 or 1 limit 1 offset 0# 和'1 or 1 limit 1 offset 1# 返回亦可赛艇!,输入'1 or 1 limit 1 offset 2# 返回一颗赛艇!,说明一共有两行。再带入上面的列子,1' or 1=1 group by pwd with rollup limit 1 offset 2#, 密码不输入,及为空,和with rollup的结果一致,即可得CTF{with_rollup_interesting}

    参考链接:http://www.bubuko.com/infodetail-2169730.html

  • 相关阅读:
    ACM-ICPC(10/21)
    ACM-ICPC (10/20)
    ACM-ICPC (10/19)
    ACM-ICPC (10/17)
    ACM-ICPC (10/16) Codeforces Round #441 (Div. 2, by Moscow Team Olympiad)
    ACM-ICPC (10/15) Codeforces Round #440 (Div. 2, based on Technocup 2018 Elimination Round 2)
    ACM-ICPC (10/14)
    战神CPU计算机硬件组装
    ACM-ICPC (10/12)
    ACM-ICPC (10/11)
  • 原文地址:https://www.cnblogs.com/caizhiren/p/7841318.html
Copyright © 2011-2022 走看看