Hey Im, trying to do this RCE too. I’m currently at the moment when py script lunches CREATE FUNCTION command, but it doesn’t work. I’m using SELECT lo_put instead of INSERT to upload shellcode to large objects. Can anyone give any hint? =)
Managed to figureout with help, something with my Python script
Someone who would like to drop a nudge?
I see the flaw but all my payloads are not working for some reasons 
DM me in case!
I’m in the same situation…managed to bypass most of the filter words (in lab), but I’m not able to find any substitute for the ;
The query does not seem to run without it…can anyone help me with this?
Looking also for help with the login part. Can enumerate all columns table, but have problem with the passwords column. i can’t get the full name of it, i got the first 5 characters tough. I’ve extracted usernames and emails. I would appreciate a hint or help for how to get the password column, i think i need the hash for generating the reset link.
I am facing same problems, seems like the password field is null… Lenght is giving back zero!
Where both email/username/first name works…
EDIT: NVM I got it!
can i dm you for a hint? still working on that password field.
1 Like
Hello, friends!
Who answered the question correctly in the section:
“Error-Based SQL Injection”
I can’t figure out how to find the right answer.
The hint doesn’t tell me anything.
I will be glad to have your help, who has passed this module.
Hi there!
I am stuck on the first skill assessment question. I managed to enumerate the database, got 2 user names and hashes. But no way to crack them… What did I miss out? How can I get the cleartext passwords to login into the dashboard?
Hello!
Hello there,
I’m stuck on the first skill assessment question. I can get the email of the user ‘ad***’ but when I want to get the pss** column it doesn’t exist, could someone give me a clue? or what would be the correct query to enumerate columns in PSQL boolean based?
Don’t forget that the filter apply to all of your queries! And don’t forget that java doesn’t do any magic, it needs to know the column name to create the object
1 Like
I’m currently stuck on the login part, the password column seems empty? Could anyone please help?
For anyone stuck, check the filter and the column name you are trying to extract
1 Like
Here are couple of hints from my end (after some struggle at the end), in both cases the injection point is obvious.
- Look at the filters… on the last piece of information required to generate the password reset token again the filter is what is causing your issues…
- Here i spend a lot more time debugging, i decided to use lo_put instead of the insert (didnt try if its doable with it) , however my mistake was that i was passing wrong value for the offset parameter…
For anyone that is still stuck, feel free to DM me, however dont expect a ready solution, after all we here to learn and not copy paste… 
1 Like
If anyone can give a nudge on this thing.
I got a Java script to return me a filtered query just like the one from @lewis2018.
But whatever payload I set to the API endpoit it returns false, even with a basic 1=1 tautology.
PS: From the hints of @Reeelaxmait, I was able to enumerate the DB. And with ChatGPT I got a Python Script to generate a valid Token.
Now I may be facing some minor issue in my Python script, even though it granted me RCE while executing the query from the ‘Error-Based’ Section and I was able to change a table data with it.
For anyone who might be stuck in the final steps.
Read the comments from @sirius3000 and @nullb1te
I spent a couple of valuable hours attempting to only change minor stuff in the script, which had successful result in the non-SA target and injecting queries to the RDBMS to be ran but when trying to upload the PostgreSQL extension to the SA target it did not execute.
I decided to change the method of writing the file which needed a few tweaks and with the comments from @nullb1te, I was able to gain RCE.
1 Like