Possibly Related Threads…

LOOOP · Feb 03, 2024, 01:03 PM

Hey, BF new challenge is here

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Compromised - Malware Logs

paven · Feb 03, 2024, 02:11 PM

Link - https://app.hackthebox.com/challenges/0xboverchunked

antigoth · Feb 04, 2024, 09:40 AM

Working on it, I figured out you can bypass the waf.php filter to circumvent "OR" by doing "o+r" .
the flag is obivously at id=6 from reading the code which is blocked

it doesn't see 5 + 1 as 6 though, just an invalid ID

peRd1 · (This post was last modified: Feb 04, 2024, 11:51 AM by peRd1.)

It can be done with a very well formulated sqlmap query as well. Just don't forget about the flags, level, risk, random agent, etc.

And think about which endpoint, what you want to search for, and dump that shit.

It's going to find some injection parameter that can be abused of course...

cavour13 · Feb 05, 2024, 06:01 PM

I read all the code but i couldn't bypass waf ! tried also with sqlmap -r req{http post request `Controllers/Handlers/SearchHandler.php`} with --level 5 --risk 3 --dump

xa6 · Feb 07, 2024, 09:41 AM

sqlmap is unintended afaik

dhzzz · Feb 07, 2024, 04:10 PM

6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

Steward · Feb 08, 2024, 06:54 PM

(Feb 07, 2024, 04:10 PM)dhzzz Wrote: 6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

how could you dump anything with the request that contains quote?
you should get response "SQL Injection attempt identified and prevented by WAF!" because your request contains '

dhzzz · Feb 09, 2024, 05:17 PM

(Feb 08, 2024, 06:54 PM)Steward Wrote:
(Feb 07, 2024, 04:10 PM)dhzzz Wrote: 6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

how could you dump anything with the request that contains quote?
you should get response "SQL Injection attempt identified and prevented by WAF!" because your request contains '

Transfer-Encoding: chunked

isac37M · Feb 09, 2024, 08:48 PM

(Feb 09, 2024, 05:17 PM)dhzzz Wrote:
(Feb 08, 2024, 06:54 PM)Steward Wrote:
(Feb 07, 2024, 04:10 PM)dhzzz Wrote: 6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

how could you dump anything with the request that contains quote?
you should get response "SQL Injection attempt identified and prevented by WAF!" because your request contains '

Transfer-Encoding: chunked

It's giving me internal server error. Any idea?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	68	1,916	4 hours ago Last Post: VictorPipeau
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	601	91,514	4 hours ago Last Post: VictorPipeau
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	371	92,790	5 hours ago Last Post: phannguyenbaouy1
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	21	2,604	9 hours ago Last Post: popoler
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,246	Yesterday, 02:10 PM Last Post: kkkato