0

I am learning sql injection,and I set up the sqli-lab environment(windows+php+mysql 5.5.53) in my computer.

I encountered two problems when I was solving the sqli-lab 15. the source code in this question is below:

@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  1. when I submitted the post data uname=1' or sleep(3)%23&password=2 to the url http://127.0.0.1/sqli-labs/Less-15/,the response was delayed about 13.18 secs which 3 secs was expected.Why did this happen?
  2. In my previous knowledge,when the condition before and is true, the statement after and is executed.After posted the data uname=1' and sleep(3)%23&password=2,the result was returned immediately as expected.But when I use sqlmap to test this url,I found the sqlmap payload was like this: uname=1' and (SELECT * FROM (SELECT(SLEEP(2)))IkiC)%23&passwd=2,and the sleep function was executed exactly.So why did this happen?(this is no unname 1 in the table users.)
tec_bai
  • 11
  • 1
  • More data required. Is a `sleep(13)` delaying for 23 seconds or something else? – tadman Dec 29 '20 at 03:20
  • sqli-labs website:https://github.com/Audi-1/sqli-labs – tec_bai Dec 29 '20 at 03:25
  • I executed the sql statement `select * from users where username=1 or sleep(13) and password=1 limit 0,1; ` in mysql front, but the query cannot be returned after a long time.the status bar always displayed "Execute Query...". – tec_bai Dec 29 '20 at 03:32
  • After waited for 2:49,The result was returned.I am confused. :-( @tadman – tec_bai Dec 29 '20 at 03:37
  • Maybe I found the answer to the first question partly.In the table users,there are 14 records.I reruned the sql `select * from users where username=1 or sleep(3) and password=1 limit 0,1; ` in mysql front,It took 39 secs.(14*3=42 secs expected.) So maybe the answer is that the sql statements select is executed 13 times.But why not 14 times? If I delete 12 records and leave 2 in the table,the exection time will be 6 secs as expected. – tec_bai Dec 30 '20 at 07:08
  • I'm so sorry about the first question.I found the real sql statement should be `uname=1' or sleep(1)%23&password=2`,sleep(1), not sleep(3).It's my fault. – tec_bai Dec 30 '20 at 07:15

1 Answers1

1

I found the answer to the question 2:

SQL executes innermost sub query first, and then the next level. The results of the sub query are the query conditions of the primary query. So in this case, the query sequence is sub query-> primary query

The answer comes from: In which sequence are queries and sub-queries executed by the SQL Engine

tec_bai
  • 11
  • 1