sql报错注入(连载中)
(0)

常用函数

UpdateXML

UpdateXML(xml_target, xpath_expr, new_xml) //updatexml(目标xml文档,xml路径,更新的内容)

This function replaces a single portion of a given fragment of XML markup xml_target with a new XML fragment new_xml, and then returns the changed XML. The portion of xml_target that is replaced matches an XPath expression xpath_expr supplied by the user.

If no expression matching xpath_expr is found, or if multiple matches are found, the function returns the original xml_target XML fragment. All three arguments should be strings.

UpdateXML报错注入

原理

由于updatexml的第二个参数需要Xpath格式的字符串,以~(0x7e)开头的内容不是xml格式的语法,concat()函数为字符串连接函数显然不符合规则,但是会将括号内的执行结果以错误的形式报出,这样就可以实现报错注入。


爆数据库名

select flag from test where id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),3);

其他操作和联合注入的思路差不多。

实例可见极客大挑战 2019 HardSQL write-up

extractvalue()

ExtractValue(xml_frag, xpath_expr)

ExtractValue() takes two string arguments, a fragment of XML markup xml_frag and an XPath expression xpath_expr (also known as a locator); it returns the text (CDATA) of the first text node which is a child of the element or elements matched by the XPath expression.

对XML文档进行查询,第一个参数为目标xml文档,第二个参数为xml路径。

本文为作者silent666发布,未经允许禁止转载!
上一篇 下一篇
评论
暂无评论 >_<
加入评论