Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

NanoSec x Wargames.MY CTF – Super Next Generation WAF

It’s too late for me to submit the!

So the challenge is:

So I heard you're hacker. I setup Super Next Gen. AumWAF to protect my l33t website.
Please hack my website.




sql.php page:


As expected, any sql injection attempt will return error message as below:


Nmap result: Noticed that “/*.bak” in robots.txt

Let’s try to see if there is a backup file exist: sql.php.bak -> Yes!! it does exist!!

PHP file source code:

First, I noticed $_REQUEST[‘id’] was sent to filter, but $_GET[‘id’] was sent to the a function. After some research I learnt that $_REQUEST gets values from $_GET, $_POST, $_COOKIE respectively. This is the default order defined in php.ini file and can be changed. [seriously i copy this info from somewhere]

The idea is changing request from GET to POST while keeping the GET parameters in the url. Since $_POST[‘id’] will overwrite $_REQUEST[‘id’] and our $_GET[‘id’] parameter will become free from the filter.

So, to get the flag (+ hint was provided):


Flag: wgmy{aumwaf_1z_th3_b3st_w4f}
2. Ramadhan -> improvised my curl request.


This website use cookies to ensure that you have the best experience on this website.