I spent a while doing this even with the hints. Here are my tips: First find the POST on the website:
Open dev tools F12 or burpe->open browser from burp. Click around the website. One of them will show a POST (in network for dev tools or In target->sitemap in burp).
When you find the POST, save the file in burp so you can use in sqlmap -r.
I was only using --batch --dump
But you can find tables using other commands ie --schema
Find the Technique that finds the injection
You only need to use 1 technique. (I just did it one at a time until I found an injection)
After running the sqlmap -r sqlmap logs suggests some commands, it tells you some useful commands to use
ie —no-cast
Don’t forget Risk and level
I set these both, I don’t 100% sure know if it was needed but I just set them as a high value just in case.
Find the correct tamper so the injections work correctly
You only need 1 tamper. I found this hard because I was using --parse-errors -v 3 then seeing a bunch of errors, so I tried a tamper one by one until I reduced the errors, but even with 1 tamper I was getting some errors, but it’s ok to see the odd error in the v3 log. I wasn’t sure how many I needed.
I think sqlmap actually told me the correct tamper too.
This should be enough and you will get the flag. But you can also filter results further to reduce time, ie if you know the database name and table. I had some weird issue where it said it couldn’t find any results in the tables,I’m not sure how I fixed it, I just tried again the next day but maybe --flush-session can fix it?
Tip: When you use all the commands sqlmap tells you, the correct tamper, the correct Technique with dump and batch, it should just find the flag in the log.
Look for POST (not GET) in your network or burp while clicking different things on the site. Normally POST will send some data so what can send data on that site?
Using Burpsuite first has been successful for me. It is straightforward to intercept the request and then write it to a file. The rest can then be solved with ONE
Oh my goodness. I just spend probably 10 hours on this assessment just to find out that it was really easy. To list my mistake in case anyone else runs into the same thing. I thought I would use a ZAP spider to look for requests and found another post request that looked plausibly injectable. I spent so much time trying to figure it out with probably hundreds of options. Just to find out that there was a completely other post request that the spider didn’t find. However, I am now a lot more proficient at sqlmap. lol Some things I learned that were cool were that you can pre-answer prompts if you already know what’s going to be asked with --answer=“last_word_in_prompt=answer” another cool thing that saved me a lot of time was grepping output to filter for warnings (however, this can only be done if you preanwer the questions.) Lastly, don’t hack colorlib. It appears to be non-related. lol
So I finally finished this after about 10 hours. My biggest problem was I was making a very stupid mistake. I was making assumptions about the database schema based on the previous databases in this module. Don’t do that!
Finding the right payload was extremely easy; finding the injection point from start to finish was “easy” too, but at the time it became pretty frustrating.
I spent hours skimming through the network tab in dev tools AND using burp to try to find something that takes user input to the server. For those of you who were successful with this, please pm me to explain exactly where you found the right path.
smh at myself. Totally rattled my confidence. I ended up using FFUF to brute possible files, then possible parameters. I had to try with the application/x-www-form-urlencoded and json content types before I got a response that actually made sense.
I am struggling with this one. I think I am pretty close.
I was able to find the attack vector. I think I have found the correct --tamper as well, because the behavior changed with that one, and it started saying that the attack vector was injectable.
I have captured the request, and saved it to a file. I am using sqlmap -r [filename] to run the attack and have added --batch --dump --no-cast and the --tamper which I have found works
Then I get an error saying [ERROR] unable to retrieve the number of databases
Soon after I get an error saying [ERROR] unable to retrieve the database names
I have cleared everything out and verified I am not getting a false positive, and respun up the VM
-v and --level --risk have not been very fruitful at this stage. -v helped me find the right --tamper but I am not seeing much more at this point.
Does someone have any idea’s of things I might try at this point?
