HTB Academy SQLMap Essentials: Skill Assessment issues

Hello, I having quite a bit of difficulty establishing a foothold for the skills assessment involving a CTF of the minishop website. When I try running sqlmap on the shop or checkout pages it can’t find a parameter to exploit. However, when I run with a --forms --crawl=2 it finds forms on both these pages but can’t inject into the parameters. Any tips for this exercise? I’ve searched around, but there hasn’t been much discussion on this course.

I finally found a parameter that should be exploitable via a POST request with JSON. Heuristic tests are saying it is injectable, but I haven’t been able to get anything to take yet. Make sure you click all the buttons on the shop and look at the network requests. sqlmap isn’t going to find it with crawl or forms.

1 Like

Got the flag. My hints are as follows: 1. Locate the attack vector manually. 2. The asterisk character * is your friend. 3. -v is also your friend.

1 Like

Thanks for posting something about this assessment! Im having a hard time finding the attack vector manually. I will keep trying but as of now, I’m not sure what I’m missing within the network inspect views. > @ecutrigut said: > I finally found a parameter that should be exploitable via a POST request with JSON. Heuristic tests are saying it is injectable, but I haven’t been able to get anything to take yet. Make sure you click all the buttons on the shop and look at the network requests. sqlmap isn’t going to find it with crawl or forms.

Hello! I watched all menus but I can’t found the attack vector. I found POST request only the Copy Right link on https://colorlib.com/. Could you take more help in this challenge?

I solved it! You need to find the php JSON POST script on one side, after you find the hint.

Finally I got final_flag, my suggestion is 1. Inspect element to find POST request, I used Suiteburb to locate POST request and then “Inspect Element” 2. Copy cURL to SQLmap 3. Use * to find correct payloads

> @s3e said: > Finally I got final_flag, my suggestion is > 1. Inspect element to find POST request, I used Suiteburb to locate POST request and then “Inspect Element” > 2. Copy cURL to SQLmap > 3. Use * to find correct payloads Please somebody can tell me information about this: > 3. Use * to find correct payloads

1 Like

I second this. I’m stuck in the same place - i know the post request (axxxxx.php) but i can’t get the injection to work. There are 2no mentions above regarding using “*” but i can’t see where i would use that in a request.

Has anyone some FRESH advice on this flag?

My advice is don’t overthink. Pay attention to what sqlmap is showing using the hints already provided. you will notice what payload is suitable. once you find it, use it on your sqlmap command. It is easier than you think. :slight_smile:

I finally got to time to come back to this one. After finding the location point for the SQL injection…

For me, some of the comments above led me in the wrong direction:

  • I did not need to use ‘-v’ - all the information i needed was in the standard output (from an education point of view setting ‘-v 6’ is useful to see what sqlmap is actually doing
  • I did not need to use ’ * '. There is only 1no variable and so there is no place to use ’ * ’
  • I did not need to use CURL or ‘copy to CURL’. I saved the burb request to file.

An addition tip: the back end server is filtering requests but the solution is clearly stated in the SQLMAP output comments - you don’t need to trawl the module for the solution

I hope that is ACTIONABLE advice and is helpful

4 Likes

how u found it bro, i am hard stuck i can’t see anything i try it using burp and network tab

where you found it and how because I’ve tried to find it but haven’t seen anything

I am also stuck. I can find 4 tables with sqlmap (i found a tamper that is needed here) but nothing more. Cant dump schemas or contents, no file write, tried proxys and still stuck. Does anyone have a nudge?

The most complicated thing here is to find @77@ck v3c70r

finally made it. great exercise. some comments.

  1. it is very important to check the error message. By reading the error message, you can find how the sql is formed. The goal is to figure out how to remove error message.

  2. It is also helpful to use curl to manually send the message, and then use -v 6 in sqlmap to see the difference of the inputs.

  3. Finally, it is useful to check tamper as it would be used but you will surely find out quickly.

hey man can you help me with the case#9 flag in the Bypassing Web Application Protections section. Been stuck for days, any nudge is appreciated.

After three days of searching and drilling, I finally get the flag.
I want to leave some helpful message for those who is stuck.

First, Try to find the vector to inject, don’t neglect some button even the herf of it is #. The best way of finding it is to read the source code,

Second, Remember to specify the techniques to use, or it will take to long and the machine will shut down before you find the payload.

Third, 3, 3 is enough.

Fourth, some symbol was filtered out.

Fifth, use burp to catch the post package to use.

I think it’s enough hint for you to pass the test, if you still can’t pass, DM me!

Just want to say, I really overthought this one. It was really very simple in the end.

Here’s what I ended up doing:

  1. Clicked on every button on every page of the website (even if I didn’t think they’d be useful) until I found an interesting POST request in the network tab of browser dev tools

  2. Intercepted the request with Burpsuite and copied the request to a file.

  3. Used the req file in SQLMap and played around with security bypass techniques until I found a set that worked. (This is what took the longest, but it’s still nothing crazy)

  4. Enumerate, saw where final_flag was, and dump

That’s really all it was. The hint really does outline all that you have to do.

Hi, I’m stuck on this task, can you help?
I can’t find the POST request on the page. Already spent a few days on this