So last night I dived into a supposedly easy wordpress website CTF challenge from Shellter Labs. I looked at the source code and saw there was a login.php so I decided this time for some reason I was going to try sqlmap. I have used burp suite and dirbuster in the past but wanted to learn a new tool. I tried to run a generic scan:
sqlmap -u –random-agent –dbms=mysql –threads=10 –level=3 –risk=3)
That took forever, woke up this morning and I found the admin username and the password! I was so excited and then I realized: I was suppose to find a flag not the password. I had to lookup a video to find the flag and I was on the right path but didn’t know the commands. You are supposed to use a specific search through the SQL tables for the website using a vulnerability on one of the wordpress plug-ins for the site. The vulnerable plugin was Simply Poll version 1.4, and if misconfigured, it allows an attacker to read through the database. I found the specific exploit on Exploit DB (https://www.exploit-db.com/exploits/40971/) which even includes how to use sqlmap to exploit it:
sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3