Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

第16题 有人试成功了吗? #9

Open
badtoken opened this issue Dec 10, 2018 · 2 comments
Open

第16题 有人试成功了吗? #9

badtoken opened this issue Dec 10, 2018 · 2 comments

Comments

@badtoken
Copy link

htmlentities()函数,单引号都被转义了,还注入个毛啊。。。。
@HandsomeCat00
Copy link

htmlentities($str, ENT_QUOTES);//将字符转换为 HTML 转义字符,既转换双引号也转换单引号
那么来看看HTML转义字符的范围吧,https://www.w3school.com.cn/html/html_entities.asp,发现转义符号 \ 不在射程范围
思路,尝试试利用sql语句中的单引号构造这样的格式 where name='xx\’x' or 1=1 进行绕过
请求构造如下:http://127.0.0.1/16.php?username=admin\&password=%20or%201=1%23
对应的SQL为: SELECT * FROM users WHERE name='admin' AND pass=' or 1=1#‘

@quan9i
Copy link

quan9i commented Jul 18, 2022

我觉得上位师傅说的有点问题,当构造的payload为name=admin\#&password= or 1#时,此时对应的SQL语句是$query='SELECT * FROM users WHERE name=\''admin\'\' AND pass=\''or 1#'\';';,自己简化一下也就是$query='SELECT * FROM users WHERE name='admin AND pass=' or 1#',后面的AND pass是属于name那里的,上位师傅admin后面的'是不存在的

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@badtoken @HandsomeCat00 @quan9i