0

I am trying to complete an SQL injection CTF here.

I confirmed just adding a single ' mark at the end of the URL caused a MySQL syntax error, and following this tutorial, I could complete this challenge without any automated tools.

Here is the sqlmap command I used:

sudo sqlmap -u "https://www.zixem.altervista.org/SQLi/level1.php?id=1" --dbs

Here is the 403 error output:

[19:29:51] [INFO] testing connection to the target URL
[19:29:51] [WARNING] potential permission problems detected ('Access denied')
[19:29:51] [WARNING] the web server responded with an HTTP error code (403) which could interfere with the results of the tests
[19:29:51] [INFO] testing if the target URL content is stable
[19:29:51] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]

I have tried pressing continue, however the tool always fails due to the 403 error. The above command worked perfectly for other SQL injection challenges.

Does anyone know how to resolve this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
questioner
  • 171
  • 2
  • 11
  • 1
    ... it looks like you need permissions/login/authenitcation cookie? – schroeder Jun 07 '22 at 06:14
  • @schroeder Check my self posted answer. One second clicking that link shows there are no permissions, nor login. There are no cookies either, if you check Firefox's settings. – questioner Jun 07 '22 at 14:04

1 Answers1

0

I figured it out in the end.

When I pinged that URL I noticed it was behind cloudflare which likely blocks automated penetration testing tools, such as sqlmap.

The solution is to add --random-agent to the end of the command, that way it uses a valid browser's User Agent.

questioner
  • 171
  • 2
  • 11