SQLMap: The Basics [ Cyber Security 101 ] TryHackMe Writeup | Detailed Walkthrough | THM Premium Room | SuNnY
Kudos To the Creators of this Room 😎
Room Type
Only subscribers can deploy virtual machines in this room!
Go to your profile page to subscribe (if you have not already).
Do note : Premium Subscription is required to solve this room
Let’s Start the Party
This writeup is a part of TryHackMe’s Learning Path → Cyber Security 101
Check this Learning Path here → Cyber Security 101 Learning Path <<
Task 1 : Introduction
It’s adviced to give this module a good read before proceeding to the Task 2.
Let’s proceed to Task 2
Task 2 : SQL Injection Vulnerability
Task 2 — Question 1 : Which boolean operator checks if at least one side of the operator is true for the condition to be true?
The boolean operator that checks if at least one side of the condition is true for the entire condition to be true is the OR operator.
In a SQL query, the OR operator ensures that if either the condition on the left side or the condition on the right side is true, the whole statement evaluates to true.
Task 2 — Question 2 : Is 1=1 in an SQL query always true? (YEA/NAY)
The Answer is YEA, in an SQL query, 1=1 is always true.
In SQL, the condition 1=1 is a logical expression that always evaluates to true because 1 is always equal to 1. This is often used in SQL queries, particularly in SQL injection attacks, to bypass conditions or create queries that will always return results.
Task 2 Complete !
Task 3 : Automated SQL Injection Tool
Task 3 Question 1 : Which flag in the SQLMap tool is used to extract all the databases available?
- -dbs
Explanation: The
--dbsflag in SQLMap is used to list all the databases present in the backend database management system (DBMS). After identifying an SQL injection vulnerability, this flag tells SQLMap to extract and display all the available database names. Once the database names are known, an attacker can further enumerate them to access sensitive information.
Task 3 Question 2 : What would be the full command of SQLMap for extracting all tables from the “members” database? (Vulnerable URL: http://sqlmaptesting.thm/search/cat=1)
sqlmap -u http://sqlmaptesting.thm/search/cat=1 -D members --tables
Explanation: To extract all tables from a specific database using SQLMap, the
-Dflag is used to specify the database name, and the--tablesflag is used to list all tables in that database.
Task 3 Complete !
Task 4 : Practical Exercise
This is a Practical Module , Let’s fire up the VM 🔥before proceeding
( Start Machine )
The Room recommends Starting AttackBox
Finding the Target URL ( Quick Motion Based Solution )
- Let’s Open the Browser and Navitage to this Page →
http://10.10.249.16/ai/login
2. We are greeted with a Login Page as shown above👆🏾
3. Right-click on the page and select Inspect
(or press Ctrl + Shift + I / Cmd + Option + I on Mac).
4. In the developer tools, navigate to the Network tab.
5. To Capture the GET request from the Browser ,
Let’s Use test as Username and test as Password → test:test
( This is also used and demonstrated in the Module of this room )
6. Then Refresh the Network Tab and We will get the GET Request
7. We can Copy this URL to solve further Questions in this Task
Steps Performed in a Video Snippet →
So we have our Target URI with us →
http://10.10.249.16/ai/includes/user_login?email=test&password=testDo Note → Your IP can be different than the IP i have got in this Room
Just replace the IP holder with yours
Let’s now Answer the Questions →
Task 4 Question 1 : How many databases are available in this web application?
Using our target URL let’s find the answer
By Running the SQLMap command to list all the databases using the --dbs flag.
The output will show the number of databases available in the application.
sqlmap -u “http://10.10.249.16/ai/includes/user_login?email=test&password=test” --dbs -level=5
sqlmap -u "http://10.10.249.16/ai/includes/user_login?email=test&password=test" --dbs -level=5Note → Don’t forget to wrap the URL inside “ ” other wise the flag --dbs gets ignored and an error is returned
After executing the command, SQLMap will output a list of databases. The correct answer can be inferred from this output.
Now the Motion Graphics Image with Command and result →
Answer is 6
available databases [6]:
[*] ai
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] testTask 4 — Question 2 : What is the name of the table available in the “ai” database?
Using the same Target URI we are going to solve this question →
After identifying the available databases, use the SQLMap command with the -D ai --tables flags to fetch the tables from the "ai" database.
sqlmap -u “http://10.10.249.16/ai/includes/user_login?email=test&password=test” -D ai --tables -level=5
sqlmap -u "http://10.10.249.16/ai/includes/user_login?email=test&password=test" -D ai --tables -level=5Note → Again , Don’t forget to wrap the URL inside “ ”
SQLMap will list the tables in the specified database →
Now with the Motion Graphics →
Answer to Task 4 Question 2 is →
Users
Task 4 Question 3 : What is the password of the email test@chatai.com?
Using the same Target URI as the above questions we are going to solve this final question as well !
After you know the table name (in this case, “user”), use the SQLMap command to dump the records from that table, specifying the database and table.
The output will contain the records in the table, including the password for
test@chatai.com. Look for the entry associated with this email to find the corresponding password.
sqlmap -u "http://10.10.249.16/ai/includes/user_login?email=test&password=test" -D ai -T user --dump -level=5Note → Again as always , Don’t forget to wrap the URL inside “ ” to avoid errors
Now with the Motion Graphics to understand better →
