In 2015, we launched a SQLi lab for attendees to learn SQLi. The challenges ranged from Basic to advanced. While, we no longer support the lab, we have decided to make all the content freely available. Note: some of the techniques described here may not work in the latest edition of the database(s).
Questions:
Answers for challenges:
- Challenge 1: Basics of SQL Injection [DB: Mysql, Level: Basic]
- Challenge 2: Comments in SQL Injection [DB: MySQL, Level: Intermediate]
- Challenge 3: How “or” & “and” clauses work? [DB: MySQL, Level: Advanced]
- Challenge 4: Data Extraction Using a union query [DB: MySQL, Level: Basic]
- Challenge 5: Blind SQL Injection [DB: MySQL, Level: Intermediate]
- Challenge 6: Identify database user privileges and perform RCE [DB: MySQL, Level: Advanced]
- Challenge 7: Role of encoding in SQL injection [DB: MySQL, Level: Intermediate]
- Challenge 8: SQL Injection in insert query [DB: MySQL, Level: Intermediate]
- Challenge 9: Role of string concatenation and URL encoding [DB: MySQL, Level: Advanced]
- Challenge 10: SQL Injection in “order by” clause query [DB: MySQL, Level: Advanced]
- Challenge 11: Bypass authentication using GBK encoding [DB: MySQL, Level: Advanced]
- Challenge 12: Role of the “Truncation” function [DB: MySQL, Level: Advanced]
- Challenge 13: Second Order SQL Injection [DB: MySQL, Level: Advanced]
- Challenge 14: Data Extraction Using a union query [DB: PostgreSQL, Level: Intermediate]
- Challenge 15: String-based SQL Injection [DB: MSSQL, Level: Basic]
- Challenge 16: Integer-based SQL Injection [DB: MSSQL, Level: Basic]
- Challenge 17: Data extraction using Union query [DB: MSSQL, Level: Intermediate]
- Challenge 18: Data Extraction Using a union query [DB: MSSQL, Level: Intermediate]
- Challenge 19: How “ctxsys.drithsx.sn” functions work? [DB: Oracle, Level: Intermediate]
- Challenge 20: Data extraction using a union query [DB: Oracle, Level: Intermediate]
- Challenge 21: Login to the Oracle database [DB: Oracle, Level: Intermediate]
- Challenge 22: Become a DBA by exploiting the Oracle procedure created by SYS user? [DB: Oracle, Level: Intermediate]
- Challenge 23: Become a DBA by exploiting the Oracle trigger created by the SYSTEM user? [DB: Oracle, Level: Intermediate]
- Challenge 24: How to become a DBA by abusing the current user permissions? [DB: Oracle, Level: Intermediate]
- Challenge 25: How to write a trigger to become a DBA? [DB: Oracle, Level: Advanced]
- Challenge 26: Execute OS code on the Oracle machine? [DB: Oracle, Level: Intermediate]
- Challenge 27: Read the system file by SQL Injection [DB: Oracle, Level: Advanced]