Description: Part 3 of the Sqli-labs series based on error based sqlinjections, blind injection boolian type and time based type.
Link to part 1: http://www.securitytube.net/video/4171
Link to part 2: http://www.securitytube.net/video/4200
Link for test bed: https://github.com/Audi-1/sqli-labs
Tags: Sqli , SQLi , Sqli-Labs , Sqli-labs walkthrough , SQL injections ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
I have setup a separate VM for the sqli lab. Burp works with it in a good way then :) enjoying your series...loving it.
This video is nice bro and also IRC ;)
this might be a spoiler please if your trying lesson 2 do not read this:
@audi: correct me if i am wrong, i was just trying the exercise on lesson 2 and it seems like it requires a blind sql technique ? i broke it by doing ?id=1' but the error message did not display what went wrong, after a few attempts i managed to fix it by doing
?id=1 And 1=1 --+ <here would="" go="" the="" code="" that="" would="" have="" the="" sql="" server="">
am i on the right track?
love these videos, thanks for your time
@j0k3rr
For Less-2, when u figured out ?id=1 AND 1=1--+ works, means we do not need any extra character to inject in and escape the query. This means this is an integer based injection. We can validate this by providing a escape character \ in the parameter value like ?id=\ and we see in the error no quotes or parenthesis spit out as part of error.
Now for any injection, blind is always the option, but if you wanna try error based, then think this,
when we input a string, it needs to have a quotes around.Numeric values do not have quotes around.
In Less-2 this should work
?id=1 order by 3--+
?id=-1 union select 1,2,3 --+
and so forth will work.....
@Audi
Thanks so much for your swift reply, very well written I am truly thankful for your help, amazing tutorial. like you said there are a bunch of "tutorials/information online" but its NOTHING LIKE THIS! amazing work. thanks again
i didn't quite understood the deal with lesson two bt i managed to come up with this
http://localhost/sqli-labs/Less-2/?id=1
normal response
http://localhost/sqli-labs/Less-2/?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1
so>>>> '' LIMIT 0,1'
deleting unnecessary apotheoses >>> ' LIMIT 0,1
i think this query can be fixed by using
'' LIMIT 0,1
so i put in the URL
url>>>http://localhost/sqli-labs/Less-2/?id='1'
worked fine,,, dunno it is correct or else?? :D
bdw i would like to thank you for such a wonderful gift for noobs like me :D
@Learner
thanks,
For lesson 2, if you inject a \ you see that there is no quotes wrapping around the id parameter. Henceforth Indicating it to be a Numeric or integer based injection. It does not need any quotes. It is directly injectable.
?id=-1 union select 1,2,3 --+ will work
awwww now i get it :D
Thanx Audi it's been wonderfull learning from you..
i just wanna say you are awesome and it really funny when you say "ooops it didn't work" :D
he he he... keep up the good work man :)
thanx again :D
Awesome tutorial Audi, I've been looking all over the web for someone to explain sqli correctly. Just a quick addition you can also use null instead of - to evaluate the union statement.