Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Shocker. The difficult part of this box is crafting the SQL Injection correctly. While using burp to deliver this command is easy doing is via CLI is much less strait forward. So lets get into it…

Let begin as we do with all easy HTB machines and adopt the same methodology of performing penetration testing NMAP.

nmap -sC -sV -oA Shocker

SQLmap is an automated penetration testing tool for SQL injection which tops the OWASP-2017-A1 list or critical applications vulnerable to attack. If you are using Kali Linux or any other popular pentesting distribution is already installed, but if not Git clone it to your machine. One of the possibilities of sqlmap is loading of raw HTTP request from a textual file. That way you can skip usage of a number of other options (e.g. setting of cookies, POSTed data, etc).

Within your delivery file we will be using the URI injection point, asterisk (*) to tell sqlmap where we would like it to inject. This can be done other ways (Note: Havij style %INJECT HERE% is also supported) and can also be used to point to the arbitrary injection point inside GET, POST or HTTP headers. Injection point can be specified by marking it inside the request file (-r) using sqlmap. You can simply use a text file with your HTTP request in it and add a * to where you want sqlmap to perform the injection. Then start sqlmap with the -r http_request.txt option.

1) Begin parsing using webtools within chrome browser.
Step 1: Intercept the post request using burp or your fav tool
Step 2: Load HTTP request into a file and input your injection points
Step 3: Parse the text file into sqlmap using the -r switch in your command
Step 4: Drop your crafted command into the terminal

sqlmap -r injectJSON.txt --level=5 --risk=3  -v 3

As an example for the inject file:

{"username":{"$ne": null},"password":{"$ne": null}}
Facebooktwitterredditby feather