[WEB] wafwaf

I saw that nobody had created the discussion yet. Let's avoid spoilers

«1

Comments

  • Nice easy challenge. There is a source code, what more do you need :)

    joeblogg801

  • i cant understand some of the html code may have time someone to help me?\

  • edited April 7

    I've spent a bunch of time trying different wordlists for sql injection, xss, usernames... Tried modifying manual requests with burp to bypass the custom waf implementation too. Haven't found anything! Is index.php a rabbit hole?? Is there something not so obvious that I should be looking for?

    Edit: Straightforward once you know what type of attack to use.

  • how the output will be return from the query ? It just run the query and return thr value .. where is the output ?! do I'm in wrong path ?

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • mmmm Is it what I guess, there is a rabbit hole ?! ^_^

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • @drxxx you get this?

  • Type your comment> @oldirtykush said:

    @drxxx you get this?

    Unfortunately not Yet .. I'm in loop .. from its rate I guess it easy and there is something obvious I cant see

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • no rabbit holes. just read the code and see if there is a way to bypass the protection.

    daverules

  • Type your comment> @daverules said:

    no rabbit holes. just read the code and see if there is a way to bypass the protection.

    That what I keep doing .. I'm able to bypass the WAF but nothing return !!

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • Hi, any hint? "unset" is the right path or I have to study in deep classic waf bypass techniques? Thanks:)

  • @J4c said:

    Hi, any hint? "unset" is the right path or I have to study in deep classic waf bypass techniques? Thanks:)

    There is a risk of overthinking on this one. You can try various things, see if you can get a different response to different requests then, if there is, you can use a tool (s****p) to automate it.

    I found it was very, very, very, very slow though. There may be faster approaches.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @daverules said:

    no rabbit holes. just read the code and see if there is a way to bypass the protection.

    Thank you a lot, it was so obvious as I said

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • @J4c said:
    Hi, any hint? "unset" is the right path or I have to study in deep classic waf bypass techniques? Thanks:)

    No .. take it as simple as .. do not overthinking as @TazWake said, overthinking killed my yesterday ... even I found that I have all thing in my hands.

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • thks @Drxxx and @TazWake for your answers

  • so.... slow..... i didn't have to do this in ages 😩

    0x41

  • good challenge :smile: learned a lot :smile:

  • I'm trying to 2 days...... I know that it's waf bypass, but really I'm too lost :( someone give me a light?!!

  • edited April 14

    And, I also know that there function waf() block some characters, so I my attempts were something like, //!comand//!comand

  • edited April 16

    Hey, also stuck on this one. But a bit further ahead of WillBar I think.

    I understand the code, and what gets given to the php functions from the request.

    @WillBar : notice that the WAF function returns a : json_decode($s) . and then what gets passed to the query function is not the original value of the request ....

    what I'm struggling is what to send as a value of the attribute of the object I'm posting. tried s****p to try to get something going , but no luck.... possibly not using it right. Any hints?

  • Type your comment> @Drxxx said:

    That what I keep doing .. I'm able to bypass the WAF but nothing return !!

    Same thing on my side. I don't see how I can get a response.

  • Type your comment> @nOnOs said:

    Type your comment> @Drxxx said:

    That what I keep doing .. I'm able to bypass the WAF but nothing return !!

    Same thing on my side. I don't see how I can get a response.

    Hi, I have solved it after I notice what to do if I didn't get any response from the server .. what sql injection technique I need to use ;)

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • Type your comment> @Drxxx said:

    Type your comment> @nOnOs said:

    Type your comment> @Drxxx said:

    That what I keep doing .. I'm able to bypass the WAF but nothing return !!

    Same thing on my side. I don't see how I can get a response.

    Hi, I have solved it after I notice what to do if I didn't get any response from the server .. what sql injection technique I need to use ;)

    Hmmm, interesting, but a doubt, how do I know if Waf is blocking my diversion attempts?

  • Thanks @Drxxx !

    A good craftsman has to know his tools first :)

  • Type your comment> @WillBar said:

    Type your comment> @Drxxx said:

    Type your comment> @nOnOs said:

    Type your comment> @Drxxx said:

    That what I keep doing .. I'm able to bypass the WAF but nothing return !!

    Same thing on my side. I don't see how I can get a response.

    Hi, I have solved it after I notice what to do if I didn't get any response from the server .. what sql injection technique I need to use ;)

    Hmmm, interesting, but a doubt, how do I know if Waf is blocking my diversion attempts?

    As simple as .. Just read the source code ;)

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • edited April 18

    I understand what type of sqli is that and what tool I need to use to automate its exploitation but I'm unable to bypass the damn waf. If only ' and ( would be excluded from regexp I'd have no problems. I must be missing something

  • Type your comment> @Drxxx said:

    Type your comment> @WillBar said:

    Type your comment> @Drxxx said:

    Type your comment> @nOnOs said:

    Type your comment> @Drxxx said:

    That what I keep doing .. I'm able to bypass the WAF but nothing return !!

    Same thing on my side. I don't see how I can get a response.

    Hi, I have solved it after I notice what to do if I didn't get any response from the server .. what sql injection technique I need to use ;)

    Hmmm, interesting, but a doubt, how do I know if Waf is blocking my diversion attempts?

    As simple as .. Just read the source code ;)

    but all the sql characters are in this filter, I can't ignore it with comments or using logical operations

  • maybe you need to think about how to bypass that maybe en**** your payload ;)

    Drxxx
    I wouldn't mind some +respect if I helped you ;)

  • I got a breakthrough. I make a connection with server using POST and the technique of Para***** Polu*****.

    I'm in the right way?

  • edited April 23

    Okay, I think I managed to bypass the WAF, but I have no clue how to proceed any further regards suitable SQL injection techniques. Maybe I just know too little about it, and the fact that the script suppresses any errors doesn´t make it better.

  • I just finished the challenge yesterday. You can be disguised as a proxy through a script used by a useful tool for this kind of attack ;)

Sign In to comment.