<?php
error_reporting(0);
error_log(0);require_once("flag.php");function is_trying_to_hak_me($str)
{$blacklist = ["' ", " '", '"', "`", " `", "` ", ">", "<"];if (strpos($str, "'") !== false) { //1.需要有单引号if (!preg_match("/[0-9a-zA-Z]'[0-9a-zA-Z]/", $str)) { // 2.匹配上正则, 在单引号的前后都要有字母或数字return true;}}foreach ($blacklist as $token) { //3.不能匹配上黑名单上的值if (strpos($str, $token) !== false) return true;}return false;
}if (isset($_GET["pls_help"])) {highlight_file(__FILE__);exit;
}if (isset($_POST["user"]) && isset($_POST["pass"]) && (!empty($_POST["user"])) && (!empty($_POST["pass"]))) {$user = $_POST["user"];$pass = $_POST["pass"];if (is_trying_to_hak_me($user)) {die("why u bully me");}$db = new SQLite3("/var/db.sqlite");$result = $db->query("SELECT * FROM users WHERE username='$user'");//使用单引号包围//user=a'union/**/select/**/1,2,3#if ($result === false) die("pls dont break me");else $result = $result->fetchArray();//值获取结果的第一行if ($result) {//对查询到的结果进行分析$split = explode('$', $result["password"]); //$result["password"]的值是这样的格式: hash$salt$password_hash = $split[0]; //获取前半部分: 哈希值$salt = $split[1]; //获取后半部分: saltif ($password_hash === hash("sha256", $pass . $salt)) $logged_in = true;//意思是说, 取出来的hash值要等于传入的密码值拼接上取出来的salt值的hash的值//$pass是不会有变化的,我们设定为1//你设置的密码 (pass): 123//你需要注入到数据库的值: fbfb386efea67e816f2dda0a8c94a98eb203757aebb3f55f183755a192d44467$qweelse $err = "Wrong password";} else $err = "No such user";
}
?><!DOCTYPE html>
<html><head><title>Hack.INI 9th - SQLi</title>
</head><body><?php if (isset($logged_in) && $logged_in): ?><p>Welcome back admin! Have a flag: <?= htmlspecialchars($flag); ?><p><?php else: ?><form method="post"><input type="text" placeholder="Username" name="user" required><input type="password" placeholder="Password" name="pass" required><button type="submit">Login</button><br><br><?php if (isset($err)) echo $err; ?></form><?php endif; ?><!-- <a href="/?pls_help">get some help</a> -->
</body></html>