--prefix '`)'
leaving it here for future generations to come.
--prefix '`)'
leaving it here for future generations to come.
Though I have completed the module, I would like to know how do you discover the need for prefix or suffix when using SQLMap? Better yet, how do find out what prefix and or suffix is needed to successfully inject your command?
I know in the module it is given but in a real life pentesting scenario, how would one discover this?
Appreciate if someone can shed some light on this. Thanks in advance.
thanks, can you explain the reasoning behind it a little more? For example why did we use ` ?
Second that. I’m not interested much in the formatting of the SQLmap command itself, more how to spot this while testing tons of params.
Why bro? who did you got there?
On Case5 OR SQLi, Detect and exploit (OR) SQLi vulnerability in GET parameter id, I got the flag but upon submission it says it is incorrect. Anyone else have an issue with this flag?
Does anyone know how you would find the prefix in a real life scenario? I tried multiple ways without using the prefix command they gave as the hint and could not find any working command…
it needs you to change the url parameter with random guess, once you add a ` behind the id, the page malfunctions, indicating u r on the right track, then just follow above, you will find when you use the parameter id`) – -, the page displays correctly.
The most important thing is the --level this is the exact command i used, sqlmap -u http://94.237.50.13:41094/case6.php?col=id --batch --dump --level=4 --risk=3 --prefix=‘`)’
it has to be set to 4 and you’ll get the flag.
Where did everyone get the “id” in col=id? I’ve been doing the right thing but I didn’t use id and got stuck…
For all y’all struggling with it, use Burp Suite. It’s easier. Save the HTTP packet, then do
sqlmap -r http_request ---risk=5 --level=5 --batch ...
Heyhey
I was stuck here too and read the full thread. somehow it wouldnt want to work with sqlmap tool. I finally just injected the URL myself by hand with the methods teached by SQL Injection module on HTB Academy and retrieved the flag manually.
the full URL to retrieve the flag was:
http://IPADDRESS:PORT/case6.php?col=id`)%20UNION%20select%201,content,3,4,5,6%20from%20testdb.flag6%20–%20-
hope this helps someone in the future again
I fully aggree! With the hint is took me literally 30 seconds.
But how do I find this prefix??
In the module you can take a look into the example PHP and there you can see which prefix is required to close a function. But how would I do this here? If they did not give it to me in the hint, I would have never find it…