[WEB] wafwaf

I understand what type of sqli is that and what tool I need to use to automate its exploitation but I’m unable to bypass the ■■■■ waf. If only ’ and ( would be excluded from regexp I’d have no problems. I must be missing something

Type your comment> @Drxxx said:

Type your comment> @WillBar said:

Type your comment> @Drxxx said:

Type your comment> @nOnOs said:

Type your comment> @Drxxx said:

That what I keep doing … I’m able to bypass the WAF but nothing return !!

Same thing on my side. I don’t see how I can get a response.

Hi, I have solved it after I notice what to do if I didn’t get any response from the server … what sql injection technique I need to use :wink:

Hmmm, interesting, but a doubt, how do I know if Waf is blocking my diversion attempts?

As simple as … Just read the source code :wink:

but all the sql characters are in this filter, I can’t ignore it with comments or using logical operations

maybe you need to think about how to bypass that maybe en**** your payload :wink:

I got a breakthrough. I make a connection with server using POST and the technique of Para***** Polu*****.

I’m in the right way?

Okay, I think I managed to bypass the WAF, but I have no clue how to proceed any further regards suitable SQL injection techniques. Maybe I just know too little about it, and the fact that the script suppresses any errors doesn´t make it better.

I just finished the challenge yesterday. You can be disguised as a proxy through a script used by a useful tool for this kind of attack :wink:

Solved.
Thank you @tn3k for the tips!

I think I can get past the bouncer by enc*** but then no answer whatever sqli load I try. Am I knocking on the right door?

Edit: s****p helps and poke around the premises.

It took me a while to get there as I am just starting out with these challenges. Special thanks to @flejz for all the help!

do i have to find a username first in order to get a proper output or what ?

Very nice challenge. I did learn not to fully trust automated tools.
The tool you would use already has a script that manipulates the payload, however, it is not recognized as encoding :wink:

Great challenge! It took me a while to get a flag but i’ve finally done it. As already mentioned in this topic, the tool you want to use for this already has a suitable script.

Finally I solved it, nice challenge. Its easy to overthink it so my suggestion to those who struggling would be to keep things simple and don’t forget that its 40 points only.

I am really stuck on this one. I Have been trying some of the tools, and just playing around with input in Burp but still cant seem to get anywhere. Any hints?

Hi, I’m stuck on this too. Any ideas or tips please? I know how to make the waf start answering nothing, but what next? Thx.
Sorry for bad english.

Hey there!

I thought to apply to a simple web challenge and lost a lot of time till now ahahahah :smiley:
Waf, I know how to bypass it, manually.
I simply don’t get it… when the injection is correct I get no output, so how do you get the results?

EDIT: sorry, stupid question, I’ve been soo blind :smiley:

Hey all,

I think I’ve fallen into the same problem where I can bypass the WAF with my injection BUT I just can’t figure out how to retrieve the results from the server.

Any help would be greatly appreciated

finally able to complete this challenge after more than 4 weeks of working on it. if you are stuck, I will let you know a very important hint: a certain result can be obtained with ping.exe. this may give too much away so hopefully the janitors do not censor as spoiler.

Easy and cool,
The slowness is normal… It’s based on the blind technique used!