updatexml, extractvalue and floor error injection principle

updatexml

updatexml是SQL语法的一个函数：
UPDATEXML(XML_document, XPath_string, new_value)
参数：
1： XML_document是String格式,为XML文档对象的名称,文中为Doc
2：XPath_string (Xpath格式的字符串) ,用于匹配第一个参数中的部分内容.（就像使用正则表达式匹配一个文本的特定内容一样）
3： new_value,String格式,替换查找到的符合条件的数据.

在这里,我们利用updatexml函数的报错机制进行注入,原理就是When the format of the second parameter sumsXpath的格式不符的时候,就会产生报错,我们可以将我们的payload构造到第二个参数中,让其随着报错信息展示到页面上.

and updatexml(1, (concat('#',(payload))), 1) #
or updatexml(1, (concat('#',(payload))), 1) #

具体使用and 还是 or就要根据前面的一条语句执行是否成功来判断

extractvalue

extractvalue(xml_frag, xpath_expr)
从一个使用xpath语法的xmlExtract a value from a string.
xml_frag：xml文档对象的名称,是一个string类型.
xpath_expr：使用xpathA path in syntax format.

SQLError-injected applications：当使用extractvalue(xml_frag, xpath_expr)函数时,若xpath_expr参数不符合xpath格式,就会报错.

而~符号(ascii编码值：0x7e)是不存在xpath格式中的, 所以一旦在xpath_expr参数中使用~符号,就会产生xpath syntax error (xpath语法错误),By using this method, the purpose of error injection can be achieved.

and extractvalue(1, (concat(0x7e,(payload)))) #
or  extractvalue(1,concat(0x3a,(select database()),0x3a)) #

floor

当floor(), count(), group bymeet togetherfrom一个3row above the table,A duplicate primary key error will be generated,At this point, you construct the information you want to display into the primary key,mysqlThis information will be displayed to you on the page by reporting an error.

select count(*),concat((payload), floor(rand(0)*2)) as a from information_schema.tables group by a

(select 1 from (select concat(0x7e,database(),0x7e,floor(rand(0)*2)) x,count(*) from users GROUP BY x) b)

floor() : 向下取整.
count() : Often used to count the number of rows
group by: 分组
rand() : 产生一个0-1的随机浮点数
rand(0): 0为随机数种子,0Can be replaced with any integer

floor(rand(0)*2)可能为0也可能为1.
floor(rand(0)*2)The return result is fixed,返回一个序列0110110011101

The data in the table used in the query in the injection statement must be>=3条
select count(*) from users group by floor(rand(0)*2);

When the data in the table is less than 3,The query result is correct

https://blog.csdn.net/weixin_43901998/article/details/105227678
https://blog.csdn.net/weixin_54894046/article/details/124940161
https://blog.csdn.net/weixin_46634468/article/details/120692475