Cybersecurity Contributions
  • CyberSec
  • Zixem Challenges
  • TryHackMe write-ups
  • TryHackMe SQL Injection Lab
  • SQLi Collected Cheat Sheets & write-ups
  • Portswigger - SQLi Labs
  • Riddler CTF Challenges
  • Cyber Apocalypse CTF 2022 Web Challenges
  • CyberStarters CTF Challenges
  • SQLi Filter Bypass 101
  • Order By SQL Injection
  • Black Hat CTF Web Challenges (2022)
  • TJCTF 2023 writeup (Code Review)
  • CAT CTF 2023 Web Challenges
  • Arab Regional CTF 2023 (Cyber Talents)
  • BugHunting
    • Google dorking to SQL injection
Powered by GitBook
On this page
  • Level 1
  • Level 2
  • Level 3
  • Level 4
  • Level 5
  • Level 7
  • Level 8
  • Level 9
  • Level 10

Zixem Challenges

PreviousCyberSecNextTryHackMe write-ups

Last updated 2 years ago

Zixem , Series of challenges that focuses on Union SQL attacks . We are required in every challenge to select the version and the username

Level 1

We first see this web page which displays products based on a GET parameter called id

Since we only allowed to use union so let's check how many rows are being returned

By using this payload => 1'+union+select+1--+- we got this error :

So maybe the id value is passed as an integer so we don't need to add the quote : 1111+union+select+1--+-;

Nice let's increment the numbers until this message disappear

We can see that it returns 3 columns only the first 2 are displayed , user and version can be easily selected as follow : 111+union+select+version(),user(),3--+-

Level 2

Level 2 was like level 1 but instead the id parameter in this level is passed as a string so we need to add a quote to escape the query .

Final query : 444'+union+select+user(),version(),3,4--+-;

Level 3

Another web page which displays products based on a GET parameter item

If we tried to manipulate the query as follow : 33'+union+select+1--+-; we get this error

Maybe they are filtering for just the letters "on" ? let's try "ON" to see what happens

Ok , let's add another "on" to the word union to be like this unionon so that when the filter deletes "on" we still have the word union

We got different says that there are more columns returned , so the solution was effective .

Increasing the numbers until we got 4 columns returned , only the first 3 are displayed , user and version can be selected as follow : 333+unionon+select+user(),version(),3,4--+-;

Level 4

Level 4 is as easy as level 2 but it expects 5 columns .

Final query to select the user and the version : 111'+union+select+1,2,user(),version(),5--+-;

Level 5

Level 7

As usual a simple web page that displays content based on a parameter

When we try to manipulate the id parameter we get nothing , what ever we add from quotes and numbers and dashes the web page is completely static and no errors [ Give it a try by yourself ]

Until we take a look on the source code

We have this hidden element which holds a value that tells us whether the query is correct or not , If i changes this id to any other value i get an error :

So the key here is to discover how much columns are returned according to this value

So with little errors we manage to get the correct query , and also the column number 2 is displayed beside the word "ok" , so we can select the user as follow 

// Selecting user
12' union select 1,user(),3-- -;
// Selecting version
12' union select 1,version(),3-- -;

Level 8

We are facing a web page that has a GET parameter id with patrick greeting us , so let's try a simple payload like '+union+select+1--+-;

Our query is being filtered now , My preferred approach for bypassing the filter is to re-write the payload again character by character and observe the results

We can see that the + operator triggers the filter , + operator is the URL encoding of a white space , so we can replace it by double URL encoding or inline comments /**/ but none worked for me , so i read a simple writeup showing case of using the carriage return character %0D and it succeeded to bypass the filter for white space , so let's re-write it again :

used payload => 1%0Dunion%0Dselect%0D1--%0D-;

the result i got =>

We can see that the select word has been removed let's add an inline select word like we did before to be seselectlect

Nice , all we need now is to find number of columns , by increasing the number we found that it needs 3 columns and the first 2 are reflected.

We can easily select the version and user now :

Level 9

This time the challenge is different as we are required to display the contents of /etc/passwd

We see a simple GET parameter called id , so let's try to inject a union payload to it :

More columns needed and we got another that it can't require something .

It accepts only 2 columns and also requires the column number 1 , so let's add the file name as a column : ../etc/passwd

Level 10

When we open the challenge we found a GET parameter called x which has a base64 encoded value 

https://www.zixem.altervista.org/SQLi/lvl10.php?x=ISwwYGAKYAo%3D

When we attempt to decode it , we find a very strange result :

Honestly i thought that this a dead end and i looked at the source code hoping for additional info

After this hint i knew that the decoded value is called uuencoded string so i went for online decoder to see what it holds

So the value of x was 1 , but uuencoded then base64 encode . Now let's create our payload and encode it

We can now try to inject the parameter x with the base64 string

Now it is a process of determining number of columns then selecting the version.

Remove the quote from number 1 in the payload because it is being parsed as integer not string , this caused me an error in the beginning

Level 5 was a brute forcing one and not relevant to SQL injection, however i've solved it on my github repo

https://github.com/khaled1000emad/CTFs-With-Python-Scripts/tree/main/Zixem%20lvl5
https://www.zixem.altervista.org/SQLi/
letters "on" are deleted
Same thing
uuencoding our payload
base64 encoding the string
You can use CONCAT function to concatenate strings