Possibly Related Threads…

unrecognized · Apr 06, 2025, 06:02 AM

sql injection in n8n endpoint.

zippo99 · Apr 06, 2025, 06:06 AM

im bob but where's the flag... ),:

AncientNull · Apr 06, 2025, 06:40 AM

(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

Are you talking about the auth endpoint, or the webhook in the wiki?

samuelballsiu1 · Apr 06, 2025, 07:44 AM

(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?

date202511 · Apr 06, 2025, 07:47 AM

Did I miss something important?

jsvensson · Apr 06, 2025, 07:54 AM

(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?

http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

AncientNull · Apr 06, 2025, 07:58 AM

(Apr 06, 2025, 07:54 AM)jsvensson Wrote:
(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?
http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

The email field is injectable, I was able to drop a table, just not able to get output. You need to set the gophish signature with the secret in the json. Anyone have a known valid email for the box?

jsvensson · Apr 06, 2025, 08:02 AM

(Apr 06, 2025, 07:58 AM)AncientNull Wrote:
(Apr 06, 2025, 07:54 AM)jsvensson Wrote:
(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?
http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

The email field is injectable, I was able to drop a table, just not able to get output. You need to set the gophish signature with the secret in the json. Anyone have a known valid email for the box?

I knew about signature, what is your payload to drop table?

AncientNull · Apr 06, 2025, 08:06 AM

(Apr 06, 2025, 08:02 AM)jsvensson Wrote:
(Apr 06, 2025, 07:58 AM)AncientNull Wrote:
(Apr 06, 2025, 07:54 AM)jsvensson Wrote:
(Apr 06, 2025, 07:44 AM)samuelballsiu1 Wrote:
(Apr 06, 2025, 06:02 AM)unrecognized Wrote: sql injection in n8n endpoint.

I can't find the n8n endpoint, which you mentioned. Can you please be more clear?
http://a668910b5514e.whiterabbit.htb/en/...h_webhooks

POST /webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d HTTP/1.1
Host: 28efa8f7df.whiterabbit.htb -- this is n8n
x-gophish-signature: sha256=cf4651463d8bc629b9b411c58480af5a9968ba05fca83efa03a21b2cecd1c2dd
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/json
Content-Length: 81

{
"campaign_id": 1,
"email": "test@ex.com",
"message": "Clicked Link"
}

i think in this POST is sqli but can't get it work - maybe somebody explain how to do it

The email field is injectable, I was able to drop a table, just not able to get output. You need to set the gophish signature with the secret in the json. Anyone have a known valid email for the box?

I knew about signature, what is your payload to drop table?

I was able to drop the victims table with "test@ex.com"; DROP TABLE victims;--"
DON'T do that unless you want to restart the box. I think without a valid email we will always get "Info: User is not in database" back.

aryphowake · Apr 06, 2025, 08:08 AM

With SQLi you can extract juicy data. The signature can be calculated using sqlmap and the eval param

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	97	8,887	1 hour ago Last Post: Kolokolo
	SVCHOST Injector 2026	opsecmaster67	0	58	5 hours ago Last Post: opsecmaster67
	Cold Seal 5.6 cracked Sensitive information can be exposed or stolen	opsecmaster67	0	55	5 hours ago Last Post: opsecmaster67
	EagleRAT v2.5 Create backdoor access points	opsecmaster67	0	49	5 hours ago Last Post: opsecmaster67
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	43	3,493	6 hours ago Last Post: qwertyuiop0987654321