An error injection

There are two common error reporting injections ：extractvalue , updatexml

When to use error injection ？

When there is no suitable data return point, error injection is required . When injecting, the back end is injected , But the front end doesn't get a better display .

extractvalue

payload: and extractvalue(null,concat(0x7e,(payload),0x7e))

 The database is  xml  Intentional error reporting of documents 

 utilize  concat  Splicing in the background 

 Specify that the first parameter is  null , Let him deliberately report mistakes , The second parameter statement is brought into the database for execution , Finally, an error is reported and the execution result is displayed 

 We can see that it returns a   XPATH syntax error: '~security~'
 This  XPATH  It means ： stay XPATH There is an error in the implementation of , Is the first parameter we wrote  null  The error of , So the statement of the second parameter is executed , So you can go to the next step to get the table name , Name , data ....

 Be careful ： In case of error injection , We can only use it select Rather than  union select

 How to solve the above situation ：  stay  payload  When it's time to add  limit, As shown in the figure below 

 Another way is to build  payload  When you use  group_concat()  Here's the picture 

updatexml

payload: and 1=(updatexml(1,concat(0x7e,(payload)),1))

payload: and 1=(updatexml(1,concat(0x7e,(payload)),1))

updatexml This function is used to update xml Data . By default, the updated content is passed in , But the illegal communication made him deliberately report a mistake , And then execute sql sentence