Wow, what a challenge, thanks @ahmed, this has been the most difficult web challenge I have done so far on htb, not ezpz at all!!
But learned a lot more thanks.
One thing I want to say, this challenge is not a 20 points challenge, at least not from my noob point of view
Hi, I’m stuck on bypassing the second notice. I’ve tried anything I know about PHP (will not write it here to avoid spoiling). I could use some help in the right direction. Thanks!
would be nice if someone would be kind enough to guide me through this challenge.
I also stuck on the 2nd and really wanted to solve this and learn the things that this challenge need.
please PM me!
i’m stuck in sqli i got all databases but can’t extract tables names, it looks like WAF blocks built-in functions like: H**, CR, U*H AND → ifrtn_shm…
Do i need to look for more built-in functions in sql that are not blocked by the firewall ??
pm me
OK… So I got as far as clearing the second part and now I am getting an error mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given
I know I can’t really put what I am doing to get the error, but someone who is willing to pm me, please help me understand what I am doing wrong.
EDIT:
4 days later, I got the flag. Thank you mostly to @Idomino for your suggestion on testing on my own DB for proper syntax. It clicked for me once I realized I was missing a small part in my syntax when watching another tutorial on a completely unrelated database.
The WAF is blocking everything I have been trying which I have had to do manually (using burpsuite’s repeater at the moment). I am not well experienced with any manual sqli, but I have spent the last six hours banging on this. The initial part of figuring out how to correctly format to get to where you can get rejected by the WAF did not take too long.
Did others here figure out a way to use something like wfuzz or sqlmap with this to get the right technique? Or is it entirely manual? It seems like there are far too many possible different variations for this to be practical.
I could really use a hint. PM is fine too. Thanks.
Getting stuck on this one.
No more php errors, but i don’t find the way to infiltrate after. (so it’s fine)
Then I made my own tamper.py to inject at the right place with the right structure (am i right ?)