HTB Academy SQLMap Essentials: Skill Assessment issues

Off-topic
, , ,
46

The 4 is correct, worked for me. You can PM your flag chars (randomised if you want) and I could help.

Otherwise try again, the 1337 reads right to me.

47

Finally got it, whooa a lot of requests to be made. Be patient, if anyone needs help, DM me.

48

It will seem that the protection is not present till you get struck in errors
just use -v 6to see whats going on and see what was taught for such scenarios
see what is being send and recieved

49

For anyone who is still struggling: do not tamper with the POST request you get. Save the original one and use it with -r switch. Everything from then on should be straight-forward. If it’s not, something is wrong with the request. I tampered with it and made me absolutely crazy not being able to figure out what’s wrong and how to fix it.

51

Here are some tips to keep in mind:

  1. Take things one step at a time and don’t try to apply all the hints and tips at once.

  2. If you find yourself struggling to make progress, ensure that you are executing the hints in the right context and with the correct command.

  3. If you can’t seem to make any progress, start from scratch and begin with the basics.

  4. Remember that the two most important things to keep in mind are the techniques and the tamper option.

1 Like
52

Very nicely put, dont forget you dont need to apply everything SQLMAP suggests, you can try one thing at a time and check the results after, in short:

if SQLMAP suggests adding 2 things, just add 1 of them and check.

53

sqlmap -r --tamper= -T table name --dump --batch (This is a format not an answer)

Also flag you will find will throw some error for that just remove b and put _ over there in flag
Happy hacking

54

This one was difficult, get the post request manually, and use the ‘between’ tamper.

55

Tips After Finding the Flag:

  1. Identify the Website Technology:

    • After visiting the website, use a tool like Wappalyzer to identify the programming language being used.

  2. Analyze Each Page Source Code:

    • For each page, open its source code.
    • Use CTRL + F to search for files with the website’s file extension (e.g., .php).

  3. Understand the Page Actions:

    • Once you find a page of interest, read through its functionality.
    • Look for actions being performed on the page. Experiment by interacting with the page until you see a request in the network tab or in Burp Suite.

  4. Intercept and Save the Request:

    • Intercept the request that interests you and save it to a file.

  5. Use SQLMap with the Tamper Script:

    • Run the command: sqlmap -r <file> --batch --tamper=<tamper script used in the module>
      • Example tamper scripts: between, space2comment
    • You can use multiple tampers by separating them with commas: --tamper=<tamper1>,<tamper2>

  6. Wait for Results:

    • Be patient; it might take 10 to 15 minutes. During this time, look for detection of a payload being used.

  7. Determine the Payload Type:

    • Identify the type of payload (e.g., Time-based, Union-based, etc.). This can often be deduced from the behavior of the payload.
    • If unsure, you can ask ChatGPT or rely on your knowledge.

  8. Run Multiple Tabs for Faster Analysis:

    • Open at least 5 tabs in your terminal or command line.
    • Add to your command: --technique=<types> --no-cast --dbs
    • Run this command in all 5 tabs to analyze the output of the databases.
    • About the technique rely on the payload technique being used by sqlmap

  9. Analyze and Extract Data:

    • Review the results to identify the correct database based on its name or structure.
    • Continue by using -D <database_name> --tables for each tab to list the tables and proceed with further steps as needed.

I hope it helps you other than to be useless words
mdso999

1 Like
56

The solution :

  • Check the source code of the page : /shop.html

  • At the bottom, you will find a js script which call the file “/action.php” with the JSON payload {id:1}

  • The sqli payload : {“id”:“1, 313, 1,712,IF(1=(SELECT 1 FROM final_flag WHERE content LIKE ‘HTB{N07\_50\_H4RD\_R16H7?!}’), SLEEP(2), 1 ))#”}

  • Flag : HTB{N07_50_H4RD_R16H7?!}

2 Likes
57

Guys, copy the request in JSON format (where the id parameter is) and use it for scanning with the -r request.txt flag. Also, add --tamper=between,space2comment, and everything will work.

sqlmap.py -r req.txt --batch --tamper=between,space2comment --dbs

58

same here. i believe its the correct answer but system puts incorrect

59

I think it’s already been mentioned, but make sure that the Content-Type used by sqlmap is correct. To verify that it is correct, set the verbosity level to 6. I got stuck for a long time thinking that the parameter was correctly passed, but it wasn’t. It has to look like JSON in the request body.

60

image
image191×147 5.65 KB

is that normal ?

61

Click on the instance of every button what a customer could click on. No need to push Add To Cart or anything else multiple times, just one instance of that button. You can’t miss it, there will be alert().

After that, play with options. No need to use higher risks/levels and error message is useful. Make sure your payload is valid. I used an asterisk as a wild card there. I shouldn’t have done that, it made it invalid.

63

To those running in circles like me, the command is –tamper and not --tampers. Just lost 1 hour with the done exercise due to this ‘s’ :smiley:

64

For anyone doing this,

  1. Press every button till you find it.
  2. just capture in BURP and play it. It will give you an error message at the end and tell you literally how you should fix it.
  3. Rerun the updated command, and see which technique it ended at. Example, if the error above came out when its running Error-based, just use --technique=r to quicken the process.
65

Same issue , any Solution?