[WEB] ezpz

Wow, what a challenge, thanks @ahmed, this has been the most difficult web challenge I have done so far on htb, not ezpz at all!!
But learned a lot more thanks.

One thing I want to say, this challenge is not a 20 points challenge, at least not from my noob point of view :expressionless:

Thanks @ahmed, this was a very cool challenge!

Fun challenge, learned a lot about WAF bypassing. But 20 points? I don’t know dude.

Type your comment> @davidlightman said:

Hi, I’m stuck on bypassing the second notice. I’ve tried anything I know about PHP (will not write it here to avoid spoiling). I could use some help in the right direction. Thanks!

same here:"( help me plz!

pm me plz :"(
I’m stuck in second notice…

Would someone mind pm’ing with a bit of assistance on the second notice? been stuck for quite a while now.

I’m stuck in second notice… help pls :frowning:

would be nice if someone would be kind enough to guide me through this challenge.
I also stuck on the 2nd and really wanted to solve this and learn the things that this challenge need.
please PM me!

i’m stuck in sqli i got all databases but can’t extract tables names, it looks like WAF blocks built-in functions like: H**, CR, U*H AND → ifrtn_shm
Do i need to look for more built-in functions in sql that are not blocked by the firewall ??
pm me :slight_smile:

Spoiler Removed

I’m stuck on the challenge, figured out how to send in a simple sqli but can’t get any more. Any help is appreciated :slight_smile:

Same here, I’m completely stuck with the S**i part. I can’t get anything, all it’s blocked by the WAF.

Any hints will be more than welcome.

OK… So I got as far as clearing the second part and now I am getting an error mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given
I know I can’t really put what I am doing to get the error, but someone who is willing to pm me, please help me understand what I am doing wrong.

EDIT:
4 days later, I got the flag. Thank you mostly to @Idomino for your suggestion on testing on my own DB for proper syntax. It clicked for me once I realized I was missing a small part in my syntax when watching another tutorial on a completely unrelated database.

The WAF is blocking everything I have been trying which I have had to do manually (using burpsuite’s repeater at the moment). I am not well experienced with any manual sqli, but I have spent the last six hours banging on this. The initial part of figuring out how to correctly format to get to where you can get rejected by the WAF did not take too long.

Did others here figure out a way to use something like wfuzz or sqlmap with this to get the right technique? Or is it entirely manual? It seems like there are far too many possible different variations for this to be practical.

I could really use a hint. PM is fine too. Thanks.

I’m struggling to extract column names :confused: any nudges please? I know the table though…

EDIT: got the flag. This was definitely not an easy one…

Am I supposed to see PHP errors when I start this challenge?

@theart42 yes. Error messages are a big giveaway on any website and should be turned off. Try to exploit it!

got it. very hard but nice
if someone need help pm me

is this supposed to be blind or should I see an output?

'morning everyone.

Getting stuck on this one.
No more php errors, but i don’t find the way to infiltrate after. (so it’s fine)
Then I made my own tamper.py to inject at the right place with the right structure (am i right ?)

Regards !