1. Procedural logic Issues
The topic hint is the program logic question, that must involve the source audit, F12 view the webpage source code:
Not here to hide the source, construct URL access index.txt The following source code:
Welcome to Simplexue
<body>
<?php
if ($_post[user] && $_post[pass]) {
$conn = mysql_connect ("********," * * * * * *, "********");
mysql_select_db ("Phpformysql") or Die ("Could not select Database");
if ($conn->connect_error) {
Die ("connectionfailed:". Mysql_error ($conn));
}
$user = $_post[user];
$pass = MD5 ($_post[pass]);
$sql = "Select pw from php whereuser= ' $user '";
$query = mysql_query ($sql);
if (! $query) {
printf ("error:%s\n", Mysql_error ($conn));
Exit ();
}
$row = Mysql_fetch_array ($query, MYSQL_ASSOC);
echo $row ["PW"];
if ($row [PW]) && (!strcasecmp ($pass, $row [PW])) {
echo "<p>logged in! key:************** </p> ";
}
else {
Echo ("<p>log in Failure!</p>");
}
}
?>
<form Method=post action=index.php>
<input type=text name=uservalue= "Username" >
<input type=password name=passvalue= "Password" >
<input type=submit>
</form>
</body>
<a href= "Index.txt" >
According to the source code can see two places of special importance, I have been marked red, it is obvious that the SQL statement injection vulnerability, but the password bar can not be used to bypass the general injection, but found that as long as the content ($row [PW]) && (!strcasecmp ($pass, $row [PW] can get the flag, that is, we enter the $pass and the data taken from the database to the same line, we can control the value of $pass, but we do not seem to know the value of PW in the database, but we can directly use the union SELECT ' A MD5 encrypted string ' #来自己随意设定密码, note that this must be MD5 encrypted, or it will go wrong.
Construct statement: ' and 0=1 Union select ' 529ca8050a00180790cf88b63468826a ' #
Password: hehe
I got the flag.
2.