pico-wp

picoCTF 2020 Mini-Competition web

pico 2020今年缩水了，不过据说min不是正式的比赛，看看后面怎么说吧

web

Description
Can you beat the filters? Log in as admin
总而言之就是bypass sql注入

1

第一题看filter.php提示把or给过滤了
但是没有关西，admin'-- password随便输，因为已经被-- 给注释了

---

2

第二题 or ,and, = ,--被过滤
直接上admin';%00 password随便输，
;%00很多人会把这个姿势给忘了，这也算是一个注释 
贴几个注释符:
#,-- , ;%00,/**/,//

---

3

同第二题绕过姿势

---

4

or , and, =, like, >,<, --, admin
好家伙把admin给过滤了，我直接好家伙
因为吧admin过滤了，尝试了大小写绕过无果
想到了字符串拼接，concat，但是因为有引号的限制，函数无法运行
返回去看到数据库是sqlite，那么sqlite的字符串拼接是用||的
直接上payload
ad'||'min';%00 passowrd=123
提交成功登陆

5

or, and,=, like, >, <, --, union, admin
同第四题姿势，我觉得国外的师傅应该是忘记了;%00能够直接过滤，所以我这个算非预期解

题目源码

<?php
session_start();

if (!isset($_SESSION["round"])) {
    $_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");

if ($round === 1) {
    $filter = array("or");
    if ($view) {
        echo "Round1: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 2) {
    $filter = array("or", "and", "like", "=", "--");
    if ($view) {
        echo "Round2: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 3) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
    // $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round3: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 4) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
    // $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round4: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 5) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
    // $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round5: ".implode(" ", $filter)."<br/>";
    }
} else if ($round >= 6) {
    if ($view) {
        highlight_file("filter.php");
    }
} else {
    $_SESSION["round"] = 1;
}