Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

HackTheBox - Gavel

•March 14, 2026

IppSec

IppSec•Mar 14, 2026

Why It Matters

This technique shows that even prepared statements can be bypassed when column names are user‑controlled, highlighting critical security gaps for developers and pen‑testers.

Key Takeaways

•SQL injection via column name in prepared statements demonstrated
•Timing attacks reveal valid usernames during login enumeration
•Git repository exposure allowed full source code retrieval
•Open-source tools Sneak and OpenGrep identified multiple vulnerabilities
•Custom injection crafted query to extract MySQL version and password hashes

Summary

The video walks through the Hack The Box “Gavel” machine, focusing on a rare SQL injection that abuses a prepared statement by injecting the column name.

After enumerating the host with nmap, the presenter discovers an exposed .git directory, clones the repository, and runs static analysis tools Sneak and OpenGrep, which flag a SQL injection in inventory.php and several low‑severity issues.

The injection works because PHP’s PDO does not bind column identifiers, allowing the attacker to replace the column with a question mark, comment out the rest of the query, and inject a sub‑select that reveals the MySQL version and password hashes from the users table.

The demonstration underscores the danger of exposing source code, the value of timing attacks for username enumeration, and the necessity of sanitizing all query components, even when using prepared statements.

Original Description

00:00 - Introduction

00:30 - Start of nmap

02:00 - Discovering .git directory, using git-dumper to download source code

05:50 - Using OpenGrep to identify vulnerabilities and discovering an SQL Injection in the Prepared Statement

08:30 - Going over this weird SQL Injection in PHP MySQL Prepared Statements, which is an odd scenario of having control over the column name in the query

11:00 - Creating the SQL Injection Payload in the prepared statement

18:40 - We can't use a ascii quote, but can hex encode to get around the limitation

23:50 - Cracking the hash and getting admin on the application

26:00 - Looking at the admin functionality, discovering rules can contain PHP which will get us RCE

30:00 - Shell on the box

33:30 - Discovering the gavel-util and gaveld binary, copying them to our box

36:30 - Opening the binaries up in Ghidra

41:30 - Doing some dynamic analysis on our box, running gavil-util to see what it writes to the socket

44:30 - Setting the environment variable RULE_PATH to change where gaveld loads the PHP Configuration from so we can bypass the disabled functions

50:15 - Showing another way we could exploit this, using PHP to rewrite the PHP.INI removing the disabled functions.

Comments

Want to join the conversation?

Loading comments...