Skills Assessment - SQL Injection Fundamentals = Solved

So I am currently on the the last part of the SQL Injection Fundamentals module and I have been trying multiple ways to solve it.

As I understand it, my goal is to write a web shell into the base web directory so I can get RCE to find the flag in the root directory. However, I get permission denied whenever I try to write my php shell to the default web directory location: var/www/html. This makes me think that there must be other web directory locations which I should try. Also, I am able to write my php shell to other locations such as /var/lib/mysql or /tmp, but I don’t know how to make the server read the shell using that approach.

Some hints would be very much appreciated!

Update: I just got help solving it by user Nucrea. The solution to the problem exists in the url after first SQL Injection into the page.

Cheers!

Hi there! i’m really stuck with the Assesment, i’ve already pass the login, but i can’t execute the shell at /tmp, would you help me?

Thanks!

Type your comment> @asteri0n said:

Hi there! i’m really stuck with the Assesment, i’ve already pass the login, but i can’t execute the shell at /tmp, would you help me?

Thanks!

Hey, man! As I said… the solution to the problem can be seen in the URL after you log in as admin - and you will find what you seek.

4 Likes

Hi Guys, can anyone please guide me, how to get past the logon page?

Type your comment> @rptester said:

Hi Guys, can anyone please guide me, how to get past the logon page?

Hey , dont overthink much on this one.

Remember which are the ways to inject through the username and try em out !

Would it please to be possible to get a nudge. I have come to halt

Type your comment> @mrjohnny786 said:

Type your comment> @rptester said:

Hi Guys, can anyone please guide me, how to get past the logon page?

Hey , dont overthink much on this one.

Remember which are the ways to inject through the username and try em out !

I tried every single payload possibility but it doesn’t work. The page just reloads and shows “Incorrect credentials” under the login form.
Can someone help me, pls?

1 Like

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
OKay! i’m in… but now again stuck…

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
I’ve also filled all the payloads in the repo in the username…

Did you also use comments in the username?

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

My problem is that I can’t reach the webshell via url

Type your comment> @basti394 said:

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

My problem is that I can’t reach the webshell via url

it’s kinda easy, just think a bit more, a web crawler may help you find the obvious… if u need more help PM me

I’ve bypassed login page, and then got stuck on the writing web shell on the base web directory because of Errcode 13:“Permission denied” , then tried to write my web shell at the dashboard directory and again Errcode13 appeared. I need a little nudge to find the appropriate vector of my attack(probably it is directory, which I don’t know how to enumerate). Or even web shell is already exists on the webapp:) Help plz

Just finished the CTF.Was so fun.
Thank you HTB Academy;

Hi! Don’t want to create another topic.

Could anyone give me a hint about module ‘Using comments’ in SQL Injection fundamentals?

I’ve been trying in many ways, however still I am not able to login to user with id 5 in database.

‘+ 1 Login as the user with the id 5 to get the flag’

Because requirement is to login as a different user right? I am able to login as ‘tom’ or ‘admin’ however they logins are known. How to log in as a specific user when we do not have a name?

hi, can help me somebody, i upload the shell, but , i cant do anything with the shell, maybe she’ll it’s wrong?? hints, thanks

solved

Hey There !
I am also at the Tom Question,

“Try to log in as the user ‘tom’. What is the flag value shown after you successfully log in?”

When i go to the Website with Firefox and use a password Payload such as ‘1’=‘1’ i get to the Admin Panel and it tells me i have successfully logged in.

but there is no Flag

So when i use the Terminal und try to connect with :
mysql -u tom -h Webside -P port -p
and enter the password which includes ‘1’=‘1’ the terminal does nothing and then sends me this Errormessage:

ERROR 2013 (HY000): Lost connection to MySQL server at ‘handshake: reading initial communication packet’, system error: 11

Well … i don´t really know what to do now