Web Service & API Attacks - Skills Assessment

Hey has anyone finished this assessment via the SQL payload?
I got the flag rather quick considering its 13 points and not via the way the question implies. I feel I’m missing out on learning here.

1 Like

Hi. Me to cant find where I cant try SQL payload.
In http://<TARGET IP>:3002/wsdl?wsdl I just find SOAP spoofing RCE like in first part of module. But If i use this RCE on port 3002 I cant find another sql table in mysql :C Just “htb” table with previus SQLi questions. Can anyone help me :wink:

Hi,

A few hints:

  • Start by carefully examining the WSDL file: identify data types and parameters that might be vulnerable to SQL injection.
  • Try the most common SQL injections. The SQL Injections Fundamentals module helped me, especially the “subverting query logic” section.
  • The service responds once you have found a working SQL injection. In other cases, it usually does not respond.
3 Likes

thx m8! Took more time with this potentially dangerous place, tried combinations, and WOW!

@akiraowen, I think you are missing out on a learning opportunity if you didn’t get this via SQLi. I did the same thing as you probably did at first and got the flag within 5 minutes.

However, I went back to get the flag with a SQLi payload. I think modifying the SOAP request was actually the hardest part haha. It took me around 40 minutes all said and done, but was well worth it. Thanks to @lvruibr for helping me get my head in the right place. I actually didn’t even see the part about the service hanging in the question.
-onthesauce

1 Like

This is the longest I’ve been stuck on a module. I feel like I’m missing something obvious, I’ve modified a soap request so it’s accepted but SQLmap is returning nothing I’m not sure if I’m meant to be using it.

Is the solution in submitting a correctly formatted soap request itself?

Okay I did it, I was definitely over complicating it!

Did you do this via SQLMap?

No, I used manual injection but I didn’t use the python RCE scripts. I crafted the SOAP request.

Someone can help me for a flag?
I use the python script and I retrieve the mysql data from u**** table but I don’t find “password” field.

I found HTB{FL4G} but I don’t know use it.

HI , I was hoping to get a hint in the right direction - i added burp extension Wsdler , and tried to find sql injection in two Endpoints. I have not been able to find anything and am lost at this point. I have used multiple requests in SQLmap , and have had no luck, any help would be great - thanks

Any tips on how you found the flag. pm me ?