关于CTF中一道简单的web题

3.png可以看到这是个登陆口,还给了登陆的代码
if($_POST["user"] && $_POST["pass"]) {
$conn = mysqli_connect($servername, $username, $password, $database);
if ($conn->connect_error) {
die("Connection failed: " . mysqli_error($conn));
}
$user = $_POST["user"];
$pass = $_POST["pass"];

$sql = "select user from user where pw='$pass'";
//echo $sql;
$query = mysqli_query($conn,$sql);
if (!$query) {
printf("Error: %s\n", mysqli_error($conn));
exit();
}
$row = mysqli_fetch_array($query);
可以看到没有经过过滤,pass处存在sql注入,2E)AP~5H{L_B3N{Z{SJ5{HG.png
抓包,丢sqlmap一跑,跑出账号密码,发现密码死活解不出4.pngEM_ORN5Y6DYMK4I@48YDAT0.jpg
后来一想,会不会是明文,登陆出flagD.png

标签: none

评论已关闭