Wow, that was very interesting and challenging. Congrats @makelaris , got a lot of fun here.
A few tips that could be handy:
- Try to understand how the application works, don’t submit payloads like a crazy.
- Replicate locally. You need to do something with the payload to make readable by the application. You can force some custom errors to see if it is working.
- Read about what you need and how to exploit it. Doing locally is faster and effective.
- After that, you have to bypass some filters, that’s a bit tricky.
- Some commands might not work. I did it blindly but there are another options.
Anyways, PM if you are stuck.