醉梦半醒的博客

wanna to see your hat? writeup

字数统计: 124阅读时长: 1 min
2018/09/20 Share


svn泄露,工具获得源码

在login发现sql注入,waf把’变成\

令人疑惑的是为什么要加一个\才能有结果,主要思考逻辑结构:

payload1:or 1=1#

单引号内都是当做字符串去查询

payload2:or 1=1#’

 

本地复现:

<?php 
$dbServername="localhost";
$dbUser="root";
$dbPassword="";
$dbName="ctf";
$conn=mysqli_connect($dbServername,$dbUser,$dbPassword,$dbName);
$id=$_GET['id'];
$mysql="SELECT COUNT(*) FROM ctf where title='$id' or id='$id'";
echo $mysql."
";
$result=mysqli_query($conn,$mysql);
$row = mysqli_fetch_array($result);
print_r($row);
echo "
";
if($row[0]){
    echo "good job";
}else{
    echo "no";
}

CATALOG