2021NCTF-web ezsql复现

分析

下载下来附件解压后是三个php代码，进行代码审计：
login.php

<?php
include_once('config.php');#调用一次config.php
?>
<!DOCTYPE html>
<html>
    <head>
        <title>There is no absolutely safe system</title>
    </head>
    <body>
<?php
if (isset($_POST['password'])){ #检测变量是否为空
    $query = db::prepare("SELECT * FROM `users` where password=md5(%s)", $_POST['password']);#password的值作为prepare的参数传入

    if (isset($_POST['name'])){
        $query = db::prepare($query . " and name=%s", $_POST['name']);
    }
    else{
        $query = $query . " and name='benjaminEngel'";
    }
    $query = $query . " limit 1";

    $result = db::commit($query);

    if ($result->num_rows > 0){
        die('NCTF{ez');
    }
    else{
        die('Wrong name or password.');
    }
}
else{?>
        <form action="login.php" method="post">
            <input name="name" id="name" placeholder="benjaminEngel" value=bejaminEngel disabled>
            <input type="password" name="password" id="password" placeholder="Enter password">
            <button type="submit">Submit</button>
        </form>
<?php 
}
?>
    </body>
</html>

config.php

<?php
$db_host = "db";
$db_user = "mysql";
$db_pass = "mysql123";
$db_database = "2021";

include 'DB.php';
DB::buildMySQL($db_host, $db_user, $db_pass, $db_database);

if(db::connect_error()){
    die('Error whiling connecting to DB');
}
?>

DB.php

````php
<?php
class DB{
private static $db = null;
public function __construct($db_host, $db_user, $db_pass, $db_database){
static::$db = new mysqli($db_host, $db_user, $db_pass, $db_database);
}
static public function buildMySQL($db_host, $db_user, $db_pass, $db_database)
{
return new DB($db_host, $db_user, $db_pass, $db_database);
}
public static function getInstance(){
return static::$db;
}
public static function connect_error(){
return static::$db->connect_errno;
}
public static function prepare($query, $args){
if (is_null($query)){
return;
}
if (strpos($query, ‘%’) === false)