<?php
define("MYSQL_HOST",$_ENV['MYSQL_HOST']);
define("MYSQL_PORT",$_ENV['MYSQL_PORT']);
define("MYSQL_DATABASE",$_ENV['MYSQL_DATABASE']);
define("MYSQL_USER",$_ENV['MYSQL_USER']);
define("MYSQL_PASSWORD",$_ENV['MYSQL_ROOT_PASSWORD']);
$data = $_ENV["TARMAN_DYNAMIC_FLAG"];
$flag = "/tmp/flag.txt";
file_put_contents($flag,$data);
if (!isset($_GET['action'])) highlight_file(__FILE__);;
$pdo = new PDO("mysql:host=".MYSQL_HOST.":".MYSQL_PORT.";dbname=".MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD);
$action = $_GET['action'];
switch ($action) {
case 'query':
$username = $_GET['username'];
$sql = "SELECT * FROM users WHERE username = '$username';";
$stmt = $pdo->query($sql);
$row = $stmt->fetch(PDO::FETCH_ASSOC);
print_r($row);
break;
case 'login':
$username = $_GET['username'];
$password = md5($_GET['password']);
$stmt = $pdo->prepare("select * from users where username=? and password=?");
if ($stmt->execute(array($username, $password)) && $stmt->fetch()['username'] === 'admin') {
readfile($flag);
} else
die('login failed');
break;
}
$pdo = null;
本质:SQL注入
分成两部分的代码,上面一部分全是一些莫名的定义,于是我们从switch看,有两个分支,我们先试第一个https://scene-nmhniei7st8i17so-web-80.zhigeng.toolmao.com/?action=query&username=admin
得到回显Array ( [id] => 1 [username] => admin [password] => 111111 )
现在得知 账户 和 密码,于是我们跳到第二个分支login里面来,传入111111后,我们发现它显示login failed,这是因为后端会把输入的md5与数据库的比较,于是