HTB Academy SQLMap Essentials: Skill Assessment issues

Hello, I having quite a bit of difficulty establishing a foothold for the skills assessment involving a CTF of the minishop website. When I try running sqlmap on the shop or checkout pages it can’t find a parameter to exploit. However, when I run with a --forms --crawl=2 it finds forms on both these pages but can’t inject into the parameters. Any tips for this exercise? I’ve searched around, but there hasn’t been much discussion on this course.

I finally found a parameter that should be exploitable via a POST request with JSON. Heuristic tests are saying it is injectable, but I haven’t been able to get anything to take yet. Make sure you click all the buttons on the shop and look at the network requests. sqlmap isn’t going to find it with crawl or forms.

Got the flag. My hints are as follows: 1. Locate the attack vector manually. 2. The asterisk character * is your friend. 3. -v is also your friend.

Thanks for posting something about this assessment! Im having a hard time finding the attack vector manually. I will keep trying but as of now, I’m not sure what I’m missing within the network inspect views. > @ecutrigut said: > I finally found a parameter that should be exploitable via a POST request with JSON. Heuristic tests are saying it is injectable, but I haven’t been able to get anything to take yet. Make sure you click all the buttons on the shop and look at the network requests. sqlmap isn’t going to find it with crawl or forms.

Hello! I watched all menus but I can’t found the attack vector. I found POST request only the Copy Right link on https://colorlib.com/. Could you take more help in this challenge?

I solved it! You need to find the php JSON POST script on one side, after you find the hint.

Finally I got final_flag, my suggestion is 1. Inspect element to find POST request, I used Suiteburb to locate POST request and then “Inspect Element” 2. Copy cURL to SQLmap 3. Use * to find correct payloads

> @s3e said: > Finally I got final_flag, my suggestion is > 1. Inspect element to find POST request, I used Suiteburb to locate POST request and then “Inspect Element” > 2. Copy cURL to SQLmap > 3. Use * to find correct payloads Please somebody can tell me information about this: > 3. Use * to find correct payloads