Web Requests - CRUD API Issue

HTB Content Academy
1

Hello everyone,

This seems like a simple task that has been driving me nuts. The CRUD API section has the following question: First, try to update any city’s name to be ‘flag’. Then, delete any city. Once done, search for a city named ‘flag’ to get the flag.

I am having issues with the PUT request (update):

  1. Update
    curl -X PUT “http://161.35.33.243:30573/api.php/city/London” -d ‘{“city_name”:“flag”}’ -H “Content-Type: application/json”

I am getting the following error:

Unknown column ’ ’ in ‘field list’.

I literally copied the example in the lesson and replaced the IP:PORT.
I had no issues deleting a record and reading records. I have tried modifying ‘city_name’ in case the SQL db uses something else, but I kept getting the same error. Interesting enough, if I replace my json data with empty brackets, I get another error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘where city_name=‘Houston’’

Even the error shows that I am using the correct column name. I’m completely lost.

2

Hey!

I just used this with no issues: curl http://142.93.39.188:30592/api.php/city/London -X PUT -d '{"city_name":"flag"}' -H "Content-Type: application/json"

Reset the target machine and try one more time. If you get it to work, keep this thread in mind: Web requests - crud api

Feel free to DM me with screenshots.
-onthesauce

1 Like
3

Hello,

I just tried your curl request and I’m still getting the same issue. I tried the PUT method first with no success. Below you will see me use GET with success. I then reset the machine and tried again. No luck.

Screenshot_20221023_013026
Screenshot_20221023_0130262024×426 35 KB

I gave up and started editing and resending these requests using Firefox devtools and was able to get the flag. Great success! Thanks for your help!

4

Nice! Yeah, I was using the pwnbox, think about using it for certain exercises when you are having trouble. Especially when copying commands from the section. Windows may handle the examples from the course differently because the authors have wrote them with Linux in mind.

5

Please only tell me about command.!!!

6

What do you want me to tell you about the curl command? I’d rather you tell me about the issue you are having and we go from there. That way when other people have the same issue they will know how to deal with it and they won’t just be copying and pasting commands from the forum.
-onthesauce

7

Question: First, try to update any city’s name to be ‘flag’. Then, delete any city. Once done, search for a city named ‘flag’ to get the flag.
Answer: ??
Can you Please teach a little about this question and then it’s solution.
That’s what all I wanted to say.

8

Please tell me . I’m stuck here.

9

Question: First, try to update any city’s name to be ‘flag’. Then, delete any city. Once done, search for a city named ‘flag’ to get the flag.
Answer: ??
Can you Please teach a little about this question and then it’s solution.
That’s what all I wanted to say.

10

curl http://<SERVER_IP>:/api.php/city/London -X PUT -d ‘{“city_name”:“flag”}’ -H "Content-Type: application/json
curl http://<SERVER_IP>:/api.php/city/Birmingham -X DELETE -H “Content-Type: application/json”
curl http://<SERVER_IP>:/api.php/city/flag
HTB{crud_4p!_m4n // I just wrote half of the flag bcoz you have to do it man , above code is fine , I guess you forgot to write -H "Content-Type stuff "

1 Like
11

I’m not sure if you’re replying to me, but I did have all the exact headers needed. No flag is needed since I solved this anyway by running the requests through a browser and not curl.

12

I had the same issue and I resolved it by escaping the " in the curl request and that solved the issue. See below.

curl -X PUT http://46.101.14.124:31098/api.php/city/London/ -d ‘{"city_name":"flag", "country_name": "(UK)"}’ -H ‘Content-Type: application/json’

Actually after uploading the curl, it has removed the \ before every ". So just add a \ before every " in the JSON data-field

13

update anyone city_name to ‘flag’( but dont change the country_name), and delete ANOTHER city. THEN, check the flag curl http:// ip:port /api.php/city/flag (i dont know why can it work)

14

I have same problem. Where is the logic into the question?

image
image1327×315 21.6 KB

Spoiler

curl -s http://83.136.254.53:51389/api.php/city | jq | grep city_name
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,
“city_name”: “flag”,

curl -X DELETE http://83.136.254.53:51389/api.php/city/flag

curl -s http://83.136.254.53:51389/api.php/city/flag
[ ]

15

Ok, I have solved!

16

Use only the provided virtual machine in order to complete the exercice from first try