<html>
<head>
</head>
<body>
<a> Give me your flag, I will tell you if the flag is right. </ a>
<form action="" method="post">
<input type="text" name="query">
<input type="submit">
</form>
</body>
</html>
<?php
if(isset($post['query'])){
$BlackList = "prepare|flag|unhex|xml|drop|create|insert|like|regexp|outfile|readfile|where|from|union|update|delete|if|sleep|extractvalue|updatexml|or|and|&|\"";
//var_dump(preg_match("/{$BlackList}/is",$post['query']));
if(preg_match("/{$BlackList}/is",$post['query'])){
//echo $post['query'];
die("Nonono.");
}
if(strlen($post['query'])>40){
die("Too long.");
}
$sql = "select ".$post['query']."||flag from Flag";
mysqli_multi_query($MysqlLink,$sql);
do{
if($res = mysqli_store_result($MysqlLink)){
while($row = mysqli_fetch_row($res)){
print_r($row);
}
}
}while(@mysqli_next_result($MysqlLink));
}
?>
别人那找的题目的源代码
1.$sql = “select “.$post[‘query’].”||flag from Flag”;
这句话中间的双引号起的是连接字符串的作用
2.preg_match函数起的作用是比较字符串
链接
php正则表达式中preg_match函数的详解-php教程-PHP中文网
3.
*的作用是把所有的内容都表示出来
做题过程
输入的内容为
*,1
使得$sql = “select “.$post[‘query’].”||flag from Flag”;变成$sql = “select *,1 ||flag from Flag”;
即可得到flag
版权声明:本文为weixin_61060664原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。