Description
Don’t Try To 3scape From Your Destiny !
Difficulty: Medium
Challenge Link: http://3.126.138.80/catch/
Solution
Exploring
It seems like a normal website for a company. there is only one interesting login function which maybe will be our attack vector.
while looking through the source code I found a credential which maybe will allow me to login but unfortunately it is not working. it gives me an error message “User not found”.
Now it is the time to try SQL injection, I fired up burp suite and choose some payloads from payload all the things and add it to the intruder tab to see what it will give us.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
I noticed that there are three types of responses ( User not Found - Forbidden - nothing). From the response we can conclude that there are some SQL queries that has been triggered by the WAF and blocked. Let’s try to observe what exactly is being blocked.
WAF Bypass
Let’s enter a normal SQL query like the following:
1
uname=GG_Homie!&pass=GG_Homie!'+OR+1=1+#
But unfortunately it blocked. let’s add word by word before forming our whole query. let’s first start by something like that:
1
uname=GG_Homie!&pass=GG_Homie!'+
The WAF accepts the query, let’s continue and add ORto it:
Hmm! It seems that ORis blocked. we need to search for an equivalent for it. in the same resource payload all the things it has this table:
1
2
3
4
5
AND -> &&
OR -> ||
= -> LIKE,REGEXP, BETWEEN, not < and not >
> X -> not between 0 and X
WHERE -> HAVING
Great! we can now use || instead of OR. and it success:
Let’s continue our payload and 1=1 to be able to login successfully. but wait it is also blocked:
but how we are going to escape this? I thought about changing 1=1 to anther true condition I tried 3>2 but it didn’t work. but when I tried 4!=2 which should be treated as true and I was able to get the flag!
