BugKu-sqli-0x1 

<?php
error_reporting(0);
error_log(0);

require_once("flag.php");

function is_trying_to_hak_me($str)
{
    $blacklist = ["' ", " '", '"', "`", " `", "` ", ">", "<"];
    if (strpos($str, "'") !== false) { //1.需要有单引号
        if (!preg_match("/[0-9a-zA-Z]'[0-9a-zA-Z]/", $str)) { // 2.匹配上正则, 在单引号的前后都要有字母或数字
            return true;
        }
    }
    foreach ($blacklist as $token) { //3.不能匹配上黑名单上的值
        if (strpos($str, $token) !== false) return true;
    }
    return false;
}

if (isset($_GET["pls_help"])) {
    highlight_file(__FILE__);
    exit;
}

if (isset($_POST["user"]) && isset($_POST["pass"]) && (!empty($_POST["user"])) && (!empty($_POST["pass"]))) {
    $user = $_POST["user"];
    $pass = $_POST["pass"];
    if (is_trying_to_hak_me($user)) {
        die("why u bully me");
    }

    $db = new SQLite3("/var/db.sqlite");
    $result = $db->query("SELECT * FROM users WHERE username='$user'");//使用单引号包围
    //user=a'union/**/select/**/1,2,3#
    if ($result === false) die("pls dont break me");
    else $result = $result->fetchArray();//值获取结果的第一行

    if ($result) {//对查询到的结果进行分析
        $split = explode('$', $result["password"]); //$result["password"]的值是这样的格式: hash$salt
        $password_hash = $split[0]; //获取前半部分: 哈希值
        $salt = $split[1]; //获取后半部分: salt
        
        if ($password_hash === hash("sha256", $pass . $salt)) $logged_in = true;
        //意思是说, 取出来的hash值要等于传入的密码值拼接上取出来的salt值的hash的值
        //$pass是不会有变化的,我们设定为1

        //你设置的密码 (pass): 123
        //你需要注入到数据库的值: fbfb386efea67e816f2dda0a8c94a98eb203757aebb3f55f183755a192d44467$qwe
        else $err = "Wrong password";
    } else $err = "No such user";
}
?>

<!DOCTYPE html>
<html>

<head>
    <title>Hack.INI 9th - SQLi</title>
</head>

<body>
    <?php if (isset($logged_in) && $logged_in): ?>
        <p>Welcome back admin! Have a flag: <?= htmlspecialchars($flag); ?>
        <p>
        <?php else: ?>
        <form method="post">
            <input type="text" placeholder="Username" name="user" required>
            <input type="password" placeholder="Password" name="pass" required>
            <button type="submit">Login</button>
            <br><br>
            <?php if (isset($err)) echo $err; ?>
        </form>
    <?php endif; ?>
    <!-- <a href="/?pls_help">get some help</a> -->
</body>

</html>

posted on 2025-12-31 00:12  misaki%20mei  阅读(2)  评论(0)    收藏  举报

导航