Fun Times With Sqlmap

So last night I dived into a supposedly easy wordpress website CTF challenge from Shellter Labs. I looked at the source code and saw there was a login.php so I decided this time for some reason I was going to try sqlmap. I have used burp suite and dirbuster in the past but wanted to learn a new tool.  I tried to run a generic scan:

sqlmap -u –random-agent –dbms=mysql –threads=10 –level=3 –risk=3)

That took forever, woke up this morning and I found the admin username and the password! I was so excited and then I realized: I was suppose to find a flag not the password. I had to lookup a video to find the flag and I was on the right path but didn’t know the commands. You are supposed to use a specific search through the SQL tables for the website using a vulnerability on one of the wordpress plug-ins for the site.   The vulnerable plugin was Simply Poll version 1.4, and if misconfigured, it allows an attacker to read through the database.  I found the specific exploit on Exploit DB ( which even includes how to use sqlmap to exploit it:

--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3
After running this for the challenge, you find the database, and access it, enumerating the columns in the table and finding the flag.  It was a fun excerise, i needed some help from the walkthrough to complete it, but glad I tried myself first because i found the admin password.

Leave a Reply