wechall|Blinded by the light

Author Avatar
Aryb1n 10月 14, 2016

hack点

function blightVuln($password)
{
        # Do not mess with other sessions!
        if ( (strpos($password, '/*') !== false) || (stripos($password, 'blight') !== false) )
        {
                return false;
        }

        $db = blightDB();
        $sessid = GWF_Session::getSession()->getID();
        $query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'";
        return $db->queryFirst($query) !== false;
}

这一句

"SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'";
")"

开始不理解 b的意思
后来反应过来是前面的临时表(SELECT password FROM blight WHERE sessid=$sessid)的别名 省去了 AS
不加这个的话 就会报错:
Every derived table must have its own alias

另外 此题不会做
题解:
题解~~~

Powered by Hexo
Theme - Material