58,【8】BUUCTF [PwnThyBytes 2019]Baby_SQL1

进入靶场

和2次注入的页面很像

不过养成查看源代码的好习惯

先访问source.zip

下载后解压，发现两个文件

第一个文件夹打开又有4个PHP文件

那还是先看index.php文件好了

有PHP和HTML两部分，下面是PHP部分代码（HTML太长了，先放一放）

<?php
// 启动会话
session_start();// 对 $_SESSION 中的每个元素进行过滤处理
foreach ($_SESSION as $key => $value): $_SESSION[$key] = filter($value); endforeach;
// 对 $_GET 中的每个元素进行过滤处理
foreach ($_GET as $key => $value): $_GET[$key] = filter($value); endforeach;
// 对 $_POST 中的每个元素进行过滤处理
foreach ($_POST as $key => $value): $_POST[$key] = filter($value); endforeach;
// 对 $_REQUEST 中的每个元素进行过滤处理
foreach ($_REQUEST as $key => $value): $_REQUEST[$key] = filter($value); endforeach;// 定义过滤函数
function filter($value)
{// 如果值不是字符串，终止脚本并输出 Hacking attempt!!is_string($value) AND die("Hacking attempt!");// 使用 addslashes 函数对字符串进行转义，防止 SQL 注入return addslashes($value);
}// 如果满足以下条件，包含 templates/register.php 文件
isset($_GET['p']) AND $_GET['p'] === "register" AND $_SERVER['REQUEST_METHOD'] === 'POST' AND isset($_POST['username']) AND isset($_POST['password']) AND @include('templates/register.php');
// 如果满足以下条件，包含 templates/login.php 文件
isset($_GET['p']) AND $_GET['p'] === "login" AND $_SERVER['REQUEST_METHOD'] === 'GET' AND isset($_GET['username']) AND isset($_GET['password']) AND @include('templates/login.php');
// 如果满足以下条件，包含 templates/home.php 文件
isset($_GET['p']) AND $_GET['p'] === "home" AND @include('templates/home.php');
?>

看另外4个

db.php

<?php$servername = $_ENV["DB_HOST"];
$username = $_ENV["DB_USER"];
$password = $_ENV["DB_PASSWORD"];
$dbname = $_ENV["DB_NAME"];$con = new mysqli($servername, $username, $password, $dbname);?>

home.php

<!DOCTYPE html>
<html lang="en">
<head><!-- 定义文档字符编码为 utf-8 --><meta charset="utf-8"><!-- 告知搜索引擎不要索引此页面 --><meta name="robots" content="noindex"><title>home</title><!-- 设置视口，以实现响应式布局 --><meta name="viewport" content="width=device-width, initial-scale=1"><!-- 引入 Bootstrap 的 CSS 样式表 --><link href="//netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/css/bootstrap-combined.min.css" rel="stylesheet"id="bootstrap-css"><style type="text/css"></style><!-- 引入 jQuery 库 --><script src="//code.jquery.com/jquery-1.10.2.min.js"></script><!-- 引入 Bootstrap 的 JavaScript 库 --><script src="//netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container"><?php// 包含数据库连接文件 db.phpinclude 'db.php';// 判断是否设置了 $_SESSION["username"]if (isset($_SESSION["username"])):// 如果设置了 $_SESSION["username"]，显示一个警告信息die('<div class="alert alert-warning" id="msg-verify" role="alert"><strong>Hope this site is secure! I did my best to protect against some attacks. New sections will be available soon.</strong></div>');else:// 如果未设置 $_SESSION["username"]，进行页面刷新，跳转到?p=logindie('<meta http-equiv="refresh" content="0; url=?p=login" />');endif;?>
</div>
</body>
</html>

login.php

<?php!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';
$result = $con->query($sql);function auth($user)
{$_SESSION['username'] = $user;return True;
}($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));?>

redister.php

<?php!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';(preg_match('/(a|d|m|i|n)/', strtolower($_POST['username'])) OR strlen($_POST['username']) < 6 OR strlen($_POST['username']) > 10 OR !ctype_alnum($_POST['username'])) AND $con->close() AND die("Not allowed!");$sql = 'INSERT INTO `ptbctf`.`ptbctf` (`username`, `password`) VALUES ("' . $_POST['username'] . '","' . md5($_POST['password']) . '")';
($con->query($sql) === TRUE AND $con->close() AND die("The user was created successfully!")) OR ($con->close() AND die("Error!"));?>

根据代码信息绕过过滤机制