# HTB box Appointment Structured Query Language - always thought this was Search Query Language? [OWASP Top 10 2021 - SQL injection](https://owasp.org/Top10/A03_2021-Injection/) Classification A03:2021 33 [[Common weakness Enumerations (CWE)]]: CWE-89 SQL injection, CWE-79 XSS, CWE-73 external control of file name/path Input is not validated, filtered or sanitised which can result in interference with the applications code. Can be used to extract additional data without proper authorisation. Target host has port 80 exposed service detection: Apache httpd 2.4.38 ((Debian)) We can use [[GoBuster]] to brute force enumerate directories on the target site. Using the firectory-list-2.3-small.txt ~ which I believe is from [[Metasploit]]. The word list contains ~90k words. Output: /images (Status: 301) Size: 317 --> http://10.129.246.247/images/ /css (Status: 301) Size: 314 --> http://10.129.246.247/css/ /js (Status: 301) Size: 313 --> http://10.129.246.247/js/ /vendor (Status: 301) Size: 317 --> http://10.129.246.247/vendor/ /fonts (Status: 301) Size: 316 --> http://10.129.246.247/fonts/ However, directories on the site are not important for getting the flag, the tasks gave a bit of a red herring. SQL injection. We can use the user name `admin ' #` but also enter a random password to pass validation on the password field. Depending on the application and I guess the programmer double quotes or single quotes could have been used The single `'` will break out of the input and `#` will comment