webPromedium

Lab 238 — PulseWatch — SQL Injection in Collector Configuration

hackadvisor

Task: Infrastructure monitoring platform with collector configuration; dbhost field is parameterized in INSERT but unsanitized in a secondary SQL query (CVE-2023-49085 pattern). Solution: SQLite string concatenation injection via '||(SELECT ...)||' in dbhost field to enumerate tables and extract flag from system_secrets table.

$ ls tags/ techniques/

sqlite sqli php nginx string_concatenation decoy_flag reflected_sqli collector_configuration dbhost_injection secondary_query cve_2023_49085 cacti

decoy_flag_avoidancesqlite_string_concatenation_injectionsecondary_query_sqlischema_enumeration_via_sqlite_masterdata_exfiltration_via_reflected_fieldtime_based_sqli_confirmation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 172 — PulseGuard — Insecure Deserialization via JSON.NET TypeNameHandling— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor
[web][Pro]Lab 87 — GridWatch — SQL Injection in Agent Heartbeat API— hackadvisor
[web][Pro]Lab 84 — PulseView— hackadvisor
[web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor