So I’ve been at this for a few days now, and despite scouring the forums and doing some googling I really don’t get it. And I don’t just want the answer, I want to understand it, so here’s my question:
I first wanted to see if I could get the injection point to act normally, despite being injected. Just to prove that I understood the logic. Here’s what I tried:
www.testsite.com/q=r' and 1=1 –
I thought that commenting out the %‘ at the end would cause this to operate as it normally would, but the names don’t display. An error doesn’t display though, which tells me my syntax is OK.
Can someone explain to me what is happening here and how I can get started?
EDIT So I re-read one of the tutorials on this forum and found this:
[spoiler] https://www.hackthis.co.uk/levels/sqli/2?browse&q=-r' UNION SELECT 1,2 –
This injection manages to get me a 1 on the screen, but whenever I try to replace the “1” in the injection with version() or table_name() or any other command, I get an error again.
Can someone give me a hint to point me in the right direction?
It seems that you just don’t know how to exploit a SQL vulnerability manually
If you had known how to do so, you’ll know that there is a main thing to do after you found a SQLi possibility
Check some tutorial on google, they are so many!
Good luck ;)
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’‘ at line 1
Look at the whole query that you get when you use your first injection. The 1=1 evaluates to true, but you are still left with the LIKE ‘r’. That’s why you don’t get anything, there is no username that consist of only a single ‘r’.
As for the second injection, it doesn’t work because those functions are not available for this server. There are multiple types of server and all have different functions (and syntax). It’s a good start, though. Keep playing around.
Ah, I see. So it’s no longer looking for usernames starting with r it’s now only look for r. I appreciate the affirmation that I’m going in the right direction, so if those functions aren’t available, is there any function that I could use to find out the server type so I know what type of server is running? Or do I just have to keep guessing?
OK, I’ve been googling the crap out of it and nothing so far. I’ve tried .version, version, version() and the same variations for help. Guess I’ll keep plugging away unless you think there’s a different function I should try.
Just discovered the database version and got a version function to work! Now to find how to dump all the contents…
So I’ve made it a bit further, but nothing on google has helped me. I can now get information from the table ‘members’ using this query:
UNION ALL SELECT sql,2 FROM sqlite_master WHERE name=‘members’ –
shows columns ‘username’ ‘password’ and ‘admin’
But I cannot for the life of me figure out what I need to add to list any of the columns. I don’t have any experience with sqlite databases, so if someone could give me even just an article that has the information I need I’d really appreciate it.