I am gonna do some SQLi challenges for my homework 😁 And gonna do this write-up to review or share with anyone who want to read it.Here the link of website :
[Zixem](https://zixem.altervista.org/)
My task is is to select only the version & user and to take screenshot as proof.
So having fun.
# Level 1 (Super easy or not :) )
I think we should know that where is the SQL error. Let assume how the page is working.
``` color
SELECT * FROM ANYTHING WHERE ID = 1
```
Firstly the query can be easily broken by adding a single quote after the integer or adding(AND 1=2)
Things we need to do know is find the column and it can be done by many ways.
1. Order by
2. Union select
3. Group by
Start with order by
When i try `order by 4` i got an error stating `unknown col 4`, so i guess that database has 3 columns.
Let's try with Group by :
Thus, the database has 3 cols.
We have to add `AND 1=2` after the id to make the query invalid. All we need to do now is select `user()` and `version()`
So implement the query :
``` color
Select * from anything where ID = 1 AND 1 = 2 UNION ALL SELECT user(),version(), 3 --
```
and i got the user and version
# Level 2 (Easy)
First, like the level 1, put an single quote after the number
Second, go looking for the cols.
I got nothing here when trying to use UNION ALL. Just like the id is string now, not integer anymore.
I just broke the query but it's said that i need to closed the quotation mark.
And just like here i got another error. Let try with 4 cols.
I got it, so all i need to do now is find the version and user.
``` color
SELECT * FROM profiles WHERE SHOWPROFILE=4 AND 4=5' UNION ALL SELECT 1,user(),version() ,4' —
```
# Level 3 (Medium)
Like the level 1 and 2, we check that :
But the on is filtered out
So we gonna do with this
and just bypass it. So we gonna find user and version.
Done with level 3.
# Level 4 (Normal)
Do same thing withs like the above level.
adding 5 :
and just find the version and user
# Level 7 (Medium)
Let's continue with level 7
When i test it like the levels above, don't see anything chang, so i try to check the code
so here the value turn to error and all the values that show in page is default.
We see that the value turn to show the version when we implement the query
# Level 8 (Hard)
Just try to implement like the above
The result is hacking attemp. So something is filtered out. The issue here is the white-spaces
We must think how to replace the white space.
Let try with `+`
Nothing changes
I dont know anything about Url encodings so much learning more :<
Here the links : [URL encoding](https://www.w3schools.com/tags/ref_urlencode.asp?source=post_page-----fb1830da2dba--------------------------------)
finally got this
The string "SELECT" has been filtered out so i must try "SELECSELECTT"
So i finally got this ...
# Level 9 (Medium)
Just do it like the level medium
# Level 10 (Pro but i'm not)
In the url, i can find a string (that's a value of x).
Decode it and i have :
` !,0``` `
So weird, i have not seen it before. So lets googling.
After searching, i know the type of this is Uuencode.
So *`!,0``* corresponds to 1
No we need to do the procedure
1. Write the query
2. Encode it into Uuencode
3. Encode it into Base64
4. Submit the query
We bypass it. So let show my name here and get version
Sign in with Wallet
Connect another wallet