SQLi Fundamentals Module Final Assessment

JoshArm1137 · August 3, 2021, 6:32pm

Working on the last question to this module

“Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.”

I am able to get logged in as admin, but I am not sure how to get RCE. I have tried writing a PHP shell to every location under the sun and I am not able to run the shell. There was another forum and the provided the tip to look at the URL, but I am not able to do anything with that URL. Looking for some additional help on this one!

AgrarKuplung · August 24, 2021, 7:31pm

Hey, Any hint please regarding the login bypass? Tried every possible scenario, no luck… pretty annoying.

Timmebold · February 5, 2022, 4:35pm

I’m stuck at the login. I’ve tried all standard passwords (admin, password…), tried to inject Auth. Bypass with comments an OR operator, have tried quotes. No change in the output of the page: “Incorrect credentials”

A dir research showed me a database backup file with credentials. The credentials don’t work.

Any Ideas what I could try? Thank you!

PayloadBunny · February 5, 2022, 11:48pm

Remember the possibility to comment out parts of SQL strings.

Timmebold · February 6, 2022, 3:20pm

This helped a lot. Thanks

Topic		Replies	Views
Advanced SQL Injection Skills Assessment Academy	36	1957	December 11, 2024
Skills Assessment - SQL Injection Fundamentals = Solved Exploits sql-injection , academy	34	13285	October 5, 2024
HTB ACADEMY - Skills Assessment : SQL Injection Fundamentals Challenges sqli , sql-injection , academy , skills-assessment , injection	2	2074	April 23, 2021
Academy Sql injection assessment Off-topic	7	1657	March 28, 2021
Bug or lack of understanding: SQL fundamentals assessment Academy sql-injection	1	683	October 7, 2022

SQLi Fundamentals Module Final Assessment

Related topics