Skills Assessment - SQL Injection Fundamentals = Solved

Off-topic Exploits
,
1

So I am currently on the the last part of the SQL Injection Fundamentals module and I have been trying multiple ways to solve it.

As I understand it, my goal is to write a web shell into the base web directory so I can get RCE to find the flag in the root directory. However, I get permission denied whenever I try to write my php shell to the default web directory location: var/www/html. This makes me think that there must be other web directory locations which I should try. Also, I am able to write my php shell to other locations such as /var/lib/mysql or /tmp, but I donā€™t know how to make the server read the shell using that approach.

Some hints would be very much appreciated!

Update: I just got help solving it by user Nucrea. The solution to the problem exists in the url after first SQL Injection into the page.

Cheers!

2

Hi there! iā€™m really stuck with the Assesment, iā€™ve already pass the login, but i canā€™t execute the shell at /tmp, would you help me?

Thanks!

3

Type your comment> @asteri0n said:

Hi there! iā€™m really stuck with the Assesment, iā€™ve already pass the login, but i canā€™t execute the shell at /tmp, would you help me?

Thanks!

Hey, man! As I saidā€¦ the solution to the problem can be seen in the URL after you log in as admin - and you will find what you seek.

4 Likes
4

Hi Guys, can anyone please guide me, how to get past the logon page?

5

Type your comment> @rptester said:

Hi Guys, can anyone please guide me, how to get past the logon page?

Hey , dont overthink much on this one.

Remember which are the ways to inject through the username and try em out !

6

Would it please to be possible to get a nudge. I have come to halt

7

Type your comment> @mrjohnny786 said:

Type your comment> @rptester said:

Hi Guys, can anyone please guide me, how to get past the logon page?

Hey , dont overthink much on this one.

Remember which are the ways to inject through the username and try em out !

I tried every single payload possibility but it doesnā€™t work. The page just reloads and shows ā€œIncorrect credentialsā€ under the login form.
Can someone help me, pls?

1 Like
8

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

9

Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username

10

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username
OKay! iā€™m inā€¦ but now again stuckā€¦

11

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username
Iā€™ve also filled all the payloads in the repo in the usernameā€¦

Did you also use comments in the username?

12

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

13

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

My problem is that I canā€™t reach the webshell via url

14

Type your comment> @basti394 said:

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 Iā€™m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luckā€¦

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

My problem is that I canā€™t reach the webshell via url

itā€™s kinda easy, just think a bit more, a web crawler may help you find the obviousā€¦ if u need more help PM me

15

Iā€™ve bypassed login page, and then got stuck on the writing web shell on the base web directory because of Errcode 13:ā€œPermission deniedā€ , then tried to write my web shell at the dashboard directory and again Errcode13 appeared. I need a little nudge to find the appropriate vector of my attack(probably it is directory, which I donā€™t know how to enumerate). Or even web shell is already exists on the webapp:) Help plz

16

Just finished the CTF.Was so fun.
Thank you HTB Academy;

17

Hi! Donā€™t want to create another topic.

Could anyone give me a hint about module ā€˜Using commentsā€™ in SQL Injection fundamentals?

Iā€™ve been trying in many ways, however still I am not able to login to user with id 5 in database.

ā€˜+ 1 Login as the user with the id 5 to get the flagā€™

Because requirement is to login as a different user right? I am able to login as ā€˜tomā€™ or ā€˜adminā€™ however they logins are known. How to log in as a specific user when we do not have a name?

18

hi, can help me somebody, i upload the shell, but , i cant do anything with the shell, maybe sheā€™ll itā€™s wrong?? hints, thanks

19

solved

20

Hey There !
I am also at the Tom Question,

ā€œTry to log in as the user ā€˜tomā€™. What is the flag value shown after you successfully log in?ā€

When i go to the Website with Firefox and use a password Payload such as ā€˜1ā€™=ā€˜1ā€™ i get to the Admin Panel and it tells me i have successfully logged in.

but there is no Flag

So when i use the Terminal und try to connect with :
mysql -u tom -h Webside -P port -p
and enter the password which includes ā€˜1ā€™=ā€˜1ā€™ the terminal does nothing and then sends me this Errormessage:

ERROR 2013 (HY000): Lost connection to MySQL server at ā€˜handshake: reading initial communication packetā€™, system error: 11

Well ā€¦ i donĀ“t really know what to do now