Skills Assessment - SQL Injection Fundamentals = Solved

edited February 10 in Exploits

So I am currently on the the last part of the SQL Injection Fundamentals module and I have been trying multiple ways to solve it.

As I understand it, my goal is to write a web shell into the base web directory so I can get RCE to find the flag in the root directory. However, I get permission denied whenever I try to write my php shell to the default web directory location: var/www/html. This makes me think that there must be other web directory locations which I should try. Also, I am able to write my php shell to other locations such as /var/lib/mysql or /tmp, but I don't know how to make the server read the shell using that approach.

Some hints would be very much appreciated!

Update: I just got help solving it by user Nucrea. The solution to the problem exists in the url after first SQL Injection into the page.

Cheers!

Comments

  • Hi there! i'm really stuck with the Assesment, i've already pass the login, but i can't execute the shell at /tmp, would you help me?

    Thanks!

  • Type your comment> @asteri0n said:

    Hi there! i'm really stuck with the Assesment, i've already pass the login, but i can't execute the shell at /tmp, would you help me?

    Thanks!

    Hey, man! As I said.. the solution to the problem can be seen in the URL after you log in as admin - and you will find what you seek.

  • Hi Guys, can anyone please guide me, how to get past the logon page?

  • Type your comment> @rptester said:

    Hi Guys, can anyone please guide me, how to get past the logon page?

    Hey , dont overthink much on this one.

    Remember which are the ways to inject through the username and try em out !

  • Would it please to be possible to get a nudge. I have come to halt

  • edited April 13

    Type your comment> @mrjohnny786 said:

    Type your comment> @rptester said:

    Hi Guys, can anyone please guide me, how to get past the logon page?

    Hey , dont overthink much on this one.

    Remember which are the ways to inject through the username and try em out !

    I tried every single payload possibility but it doesn't work. The page just reloads and shows "Incorrect credentials" under the login form.
    Can someone help me, pls?

  • @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

  • Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

  • edited April 19

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    OKay! i'm in... but now again stuck...

  • edited April 19

    Type your comment> @blueprismo said:

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    I've also filled all the payloads in the repo in the username....

    Did you also use comments in the username?

  • @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    @blueprismo said:

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    DONE!! YAY

  • Type your comment> @blueprismo said:

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    @blueprismo said:

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    DONE!! YAY

    My problem is that I can't reach the webshell via url

  • Type your comment> @basti394 said:

    Type your comment> @blueprismo said:

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    @blueprismo said:

    @basti394 said:
    Type your comment> @blueprismo said:

    @basti394 I'm also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck....

    I got it. My hint: You just have to fill a payload into the username

    DONE!! YAY

    My problem is that I can't reach the webshell via url

    it's kinda easy, just think a bit more, a web crawler may help you find the obvious... if u need more help PM me

  • I've bypassed login page, and then got stuck on the writing web shell on the base web directory because of Errcode 13:"Permission denied" , then tried to write my web shell at the dashboard directory and again Errcode13 appeared. I need a little nudge to find the appropriate vector of my attack(probably it is directory, which I don't know how to enumerate). Or even web shell is already exists on the webapp:) Help plz

  • edited May 9
    Just finished the CTF.Was so fun.
    Thank you HTB Academy;
  • edited May 16

    Hi! Don't want to create another topic.

    Could anyone give me a hint about module 'Using comments' in SQL Injection fundamentals?

    I've been trying in many ways, however still I am not able to login to user with id 5 in database.

    '+ 1 Login as the user with the id 5 to get the flag'

    Because requirement is to login as a different user right? I am able to login as 'tom' or 'admin' however they logins are known. How to log in as a specific user when we do not have a name?

  • hi, can help me somebody, i upload the shell, but , i cant do anything with the shell, maybe she'll it's wrong?? hints, thanks

  • edited July 6

    solved

  • Hey There !
    I am also at the Tom Question,

    "Try to log in as the user 'tom'. What is the flag value shown after you successfully log in?"

    When i go to the Website with Firefox and use a password Payload such as '1'='1' i get to the Admin Panel and it tells me i have successfully logged in.

    but there is no Flag

    So when i use the Terminal und try to connect with :
    mysql -u tom -h Webside -P port -p
    and enter the password which includes '1'='1' the terminal does nothing and then sends me this Errormessage:

    ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 11

    Well ... i don´t really know what to do now

  • Type your comment> @PortaHelle said:

    Hey There !
    I am also at the Tom Question,

    "Try to log in as the user 'tom'. What is the flag value shown after you successfully log in?"

    When i go to the Website with Firefox and use a password Payload such as '1'='1' i get to the Admin Panel and it tells me i have successfully logged in.

    but there is no Flag

    So when i use the Terminal und try to connect with :
    mysql -u tom -h Webside -P port -p
    and enter the password which includes '1'='1' the terminal does nothing and then sends me this Errormessage:

    ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 11

    Well ... i don´t really know what to do now

    Facing the same problem. Please help when you find a solution

Sign In to comment.