Can anyone quide me forward here, I’ve been stuck here for couple of days now, and feel like I’ve tried everything.
I’m not sure anymore whether I’m supposed to use --prefix and --suffix, or just --prefix.
The hint says: Use the prefix ‘`)’. - Do I need to write is as it is, or in HTML URL Encoded version, the instructions say nothing about this.
When I try to inject with ‘spoiler’ after col=id, I get some error atleast
(also tried replacing col=‘spoiler’)
SQL error: SQLSTATE: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near " at line 1
I’ve tried every single option in SQLmap --level --risk -v to no avail
I already completed the next one too, but this one I think they made little too hard, or the instruction are missing something crucial
EDIT: Editted question to avoid spoiling it for others
You are very close, everything in your post should help you. Start fresh from the beginning doing what the hint says, you should see that it hits something, then increase the options from there. I generally have been using --batch and --dump for most of these exercises.
Edit: To take a stab at the error, try using single quotes when you use --prefix. If you used double quotes it might have taken the backtick or closing parenthesis wrong.
Start simple and build from there.
DM your sqlmap line and I will see if I can push you in a better direction.
Anyone else struggling with this, It’s like onthesauce said, single quotes (') instead of double quotes (") did the trick for me, also I recommend using URL encoding, might work with just ASCII though!
The SQLMap module was pretty tricky. Before continuing, read the first paragraph of my post above. Start fresh from the beginning. Try following the example provided in the lesson. Be wary of using id=* that might break things.
If you follow the example correctly, you should see that something happens. It won’t give you the flag, but it will be a ray of light. From there you just need one of the commands I mentioned in my last reply. Definitely don’t forget those two, they are life savers. And it is a rare occurrence when they aren’t needed.
Good luck, DM me if you are still stuck.