TryHackMe — Advanced SQL Injection — Writeup
Key points: SQLi | SQL injection | In-band SQLi | Out-of-band SQLi | Inferential SQLi | Error-Based SQLi | Union-Based SQLi | Boolean-Based Blind SQLi | Time-Based Blind SQLi | Second-order SQL injection | Filter evasion | Out-of-band SQL Injection | Automation techniques | Mitigation | Nmap | sqlmap. Advanced SQL Injection by awesome TryHackMe! 🎉
Hi All. First, quick introduction. Mentioned Room is of the Free type. It’s worth considering being a premium user, more info here: https://tryhackme.com/why-subscribe
My referral link 🎁 (“When someone uses your referral link to sign up for a premium membership within 7 days, you both earn $5 credit towards premium access!”): https://tryhackme.com/signup?referrer=655bf0dd7cb6fa588c31d1a3 “It’s a win-win for you and your friends!” 🚀
It would be great for you to be more familiar with these topics, so please visit the Room https://tryhackme.com/r/room/advancedsqlinjection to get more details. ✨ I encourage you to do the tasks on your own.
These tasks are well-prepared, so I will try to not repeat the content. You have there what you need, but I want to share some additional helpful and useful resources.
Tip: if you stuck with some task — please take your time, don’t be in hurry. Let’s be a more familiar with mentioned tools, make steps again etc.
Task 1 — Introduction

Q: What is the port on which MySQL service is running? A: 3306
Get ready! 🚀
Additional sources: https://www.mysql.com https://dev.mysql.com/doc/mysql-port-reference/en/mysql-port-reference-tables.html https://capec.mitre.org/data/definitions/66.html https://cwe.mitre.org/data/definitions/89.html
Task 2 — Quick Recap
Q: What type of SQL injection uses the same communication channel for both the injection and data retrieval? A: In-band
Q: In out-of-band SQL injection, which protocol is usually used to send query results to the attacker’s server? A: HTTP
Additional sources: https://www.geeksforgeeks.org/types-of-sql-injection-sqli/ https://owasp.org/www-community/attacks/SQL_Injection https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF
Task 3 — Second-Order SQL Injection

🚩 Flag
Q: What is the flag value after updating the title of all books to “compromised”? A: THM{SO_HACKED}
🚩 Flag
Q: What is the flag value once you drop the table hello from the database? A: THM{Table_Dropped}
Additional sources: https://portswigger.net/kb/issues/00100210_sql-injection-second-order
Task 4 — Filter Evasion Techniques
Q: What is the MySQL error code once an invalid query is entered with bad characters? A: 1064
Q: What is the name of the book where book ID=6? A: Animal Series
Additional sources: https://portswigger.net/support/sql-injection-bypassing-common-filters
Task 5 — Filter Evasion Techniques (continued)
Q: What is the password for the username “attacker”? A: tesla
Q: Which of the following can be used if the SELECT keyword is banned? Write the correct option only. a) SElect b) SeLect c) Both a and b d) We cannot bypass SELECT keyword filter A: c
Task 6 — Out-of-band SQL Injection
Q: What is the output of the @@version on the MySQL server? A: 10.4.24-MariaDB
Q: What is the value of @@basedir variable? A: C:/xampp/mysql
Additional sources: https://www.invicti.com/learn/out-of-band-sql-injection-oob-sqli/ https://www.akamai.com/glossary/what-is-dns-data-exfiltration
Task 7 — Other Techniques
🚩 Flag
Q: What is the value of the flag field in the books table where book_id =1? A: THM{HELLO}
Q: What field is detected on the server side when extracting the user agent? A: User-Agent
Additional sources: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection https://portswigger.net/web-security/host-header https://en.wikipedia.org/wiki/HTTP_header_injection https://portswigger.net/web-security/host-header/exploiting https://portswigger.net/kb/issues/00100700_xml-injection https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection https://www.invicti.com/learn/json-injection/
Task 8 — Automation
Q: Does the dynamic nature of SQL queries assist a pentester in identifying SQL injection (yea/nay)? A: Nay
Additional sources: https://nmap.org/ https://github.com/nmap/ https://sqlmap.org/ https://github.com/sqlmapproject/sqlmap https://github.com/xxgrunge/sqlninja https://github.com/43622283/jsql-injection https://github.com/CiscoCXSecurity/bbqsql
Task 9 — Best Practices
Q: What command does MSSQL support to execute system commands? A: xp_cmdshell
Additional sources: https://owasp.org/www-project-code-review-guide/ https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
If you want to support my work, you can also take a look here: https://referral.hackthebox.com/mz824lP — HTB, thanks! ✨
I hope you enjoy! 🍀
#SQLi #SQLinjection #In-bandSQLi #Out-of-bandSQLi #InferentialSQLi #Error-BasedSQLi #Union-BasedSQLi #Boolean-BasedBlindSQLi #Time-BasedBlindSQLi #Second-orderSQLinjection #FilterEvasion #Out-of-bandSQLinjection #AutomationTechniques #Mitigation #Nmap #sqlmap #writeup #hacking #ITsecurity #THM #TryHackMe
Best wishes,



