进入靶场
和2次注入的页面很像
不过养成查看源代码的好习惯
先访问source.zip
下载后解压,发现两个文件
第一个文件夹打开又有4个PHP文件
那还是先看index.php文件好了
有PHP和HTML两部分,下面是PHP部分代码(HTML太长了,先放一放)
<?php
// 启动会话
session_start();
// 对 $_SESSION 中的每个元素进行过滤处理
foreach ($_SESSION as $key => $value): $_SESSION[$key] = filter($value); endforeach;
// 对 $_GET 中的每个元素进行过滤处理
foreach ($_GET as $key => $value): $_GET[$key] = filter($value); endforeach;
// 对 $_POST 中的每个元素进行过滤处理
foreach ($_POST as $key => $value): $_POST[$key] = filter($value); endforeach;
// 对 $_REQUEST 中的每个元素进行过滤处理
foreach ($_REQUEST as $key => $value): $_REQUEST[$key] = filter($value); endforeach;
// 定义过滤函数
function filter($value)
{
// 如果值不是字符串,终止脚本并输出 Hacking attempt!
!is_string($value) AND die("Hacking attempt!");
// 使用 addslashes 函数对字符串进行转义,防止 SQL 注入
return addslashes($value);
}
// 如果满足以下条件,包含 templates/register.php 文件
isset($_GET['p']) AND $_GET['p'] === "register" AND $_SERVER['REQUEST_METHOD'] === 'POST' AND isset($_POST['username']) AND isset($_POST['password']) AND @include('templates/register.php');
// 如果满足以下条件,包含 templates/login.php 文件
isset($_GET['p']) AND $_GET['p'] === "login" AND $_SERVER['REQUEST_METHOD'] === 'GET' AND isset($_GET['username']) AND isset($_GET['password']) AND @include('templates/login.php');
// 如果满足以下条件,包含 templates/home.php 文件
isset($_GET['p']) AND $_GET['p'] === "home" AND @include('templates/home.php');
?>看另外4个
db.php
<?php
$servername = $_ENV["DB_HOST"];
$username = $_ENV["DB_USER"];
$password = $_ENV["DB_PASSWORD"];
$dbname = $_ENV["DB_NAME"];
$con = new mysqli($servername, $username, $password, $dbname);
?>home.php
<!DOCTYPE html>
<html lang="en">
<head>
<!-- 定义文档字符编码为 utf-8 -->
<meta charset="utf-8">
<!-- 告知搜索引擎不要索引此页面 -->
<meta name="robots" content="noindex">
<title>home</title>
<!-- 设置视口,以实现响应式布局 -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- 引入 Bootstrap 的 CSS 样式表 -->
<link href="//netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/css/bootstrap-combined.min.css" rel="stylesheet"
id="bootstrap-css">
<style type="text/css">
</style>
<!-- 引入 jQuery 库 -->
<script src="//code.jquery.com/jquery-1.10.2.min.js"></script>
<!-- 引入 Bootstrap 的 JavaScript 库 -->
<script src="//netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<?php
// 包含数据库连接文件 db.php
include 'db.php';
// 判断是否设置了 $_SESSION["username"]
if (isset($_SESSION["username"])):
// 如果设置了 $_SESSION["username"],显示一个警告信息
die('<div class="alert alert-warning" id="msg-verify" role="alert"><strong>Hope this site is secure! I did my best to protect against some attacks. New sections will be available soon.</strong></div>');
else:
// 如果未设置 $_SESSION["username"],进行页面刷新,跳转到?p=login
die('<meta http-equiv="refresh" content="0; url=?p=login" />');
endif;
?>
</div>
</body>
</html>login.php
<?php
!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';
$result = $con->query($sql);
function auth($user)
{
$_SESSION['username'] = $user;
return True;
}
($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));
?>redister.php
<?php
!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
(preg_match('/(a|d|m|i|n)/', strtolower($_POST['username'])) OR strlen($_POST['username']) < 6 OR strlen($_POST['username']) > 10 OR !ctype_alnum($_POST['username'])) AND $con->close() AND die("Not allowed!");
$sql = 'INSERT INTO `ptbctf`.`ptbctf` (`username`, `password`) VALUES ("' . $_POST['username'] . '","' . md5($_POST['password']) . '")';
($con->query($sql) === TRUE AND $con->close() AND die("The user was created successfully!")) OR ($con->close() AND die("Error!"));
?>根据代码信息绕过过滤机制