[WEB] ezpz

Spoiler Removed

I’m stuck on the challenge, figured out how to send in a simple sqli but can’t get any more. Any help is appreciated :slight_smile:

Same here, I’m completely stuck with the S**i part. I can’t get anything, all it’s blocked by the WAF.

Any hints will be more than welcome.

OK… So I got as far as clearing the second part and now I am getting an error mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given
I know I can’t really put what I am doing to get the error, but someone who is willing to pm me, please help me understand what I am doing wrong.

EDIT:
4 days later, I got the flag. Thank you mostly to @Idomino for your suggestion on testing on my own DB for proper syntax. It clicked for me once I realized I was missing a small part in my syntax when watching another tutorial on a completely unrelated database.

The WAF is blocking everything I have been trying which I have had to do manually (using burpsuite’s repeater at the moment). I am not well experienced with any manual sqli, but I have spent the last six hours banging on this. The initial part of figuring out how to correctly format to get to where you can get rejected by the WAF did not take too long.

Did others here figure out a way to use something like wfuzz or sqlmap with this to get the right technique? Or is it entirely manual? It seems like there are far too many possible different variations for this to be practical.

I could really use a hint. PM is fine too. Thanks.

I’m struggling to extract column names :confused: any nudges please? I know the table though…

EDIT: got the flag. This was definitely not an easy one…

Am I supposed to see PHP errors when I start this challenge?

@theart42 yes. Error messages are a big giveaway on any website and should be turned off. Try to exploit it!

got it. very hard but nice
if someone need help pm me

is this supposed to be blind or should I see an output?

'morning everyone.

Getting stuck on this one.
No more php errors, but i don’t find the way to infiltrate after. (so it’s fine)
Then I made my own tamper.py to inject at the right place with the right structure (am i right ?)

Regards !

i am stuck help please

Finally, I did it. Definitely, it isn’t an easy one. I learned some new things about S**i. The initial part is funny and pushes me to think as a programmer does to guessing the lines and their behavior behind the scenes.

The part of S**i was too much for me, but researching on Google you will find the correct path.

Definitely, this challenge will help me in the future.

PM if you need help.

Sometimes your meal needs some … to add some flavor.

alright found some time to get back to this and took like 2 hours doing the wrong thing to get me to the flag. very hard challenge, such an annoying “waf”…

found a vulnerable param using s**m*p and a custom tamper script to format the payload. I am however unable to exploit this vulnerable param. Am i on the right track or should i try something else?

■■■■ it took me a few days of extensive googling and mindfuckery to get through this. I’m new to sqli but I feel I learned a ton from this.

For people stuck at the firewall, as someone pointed out, try to understand what type of words ( special characters? hint hint) the waf is trying to filter. Feel free to hit me up if you need any more pointers

I’m stuck on second notice too :confused:

A small hint for the last step. You don’t really need the column.

Someone can give a hint about WAF bypass?
I can’t using union and select, tried to use comments(se/**/lect), Unicode, but everything blocks