Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

NanoSec x Wargames.MY CTF – Super Next Generation WAF

It’s too late for me to submit the flag..lol!

So the challenge is:

So I heard you're hacker. I setup Super Next Gen. AumWAF to protect my l33t website.
Please hack my website.

Thanked!

http://supernext-gen-aumwaf.wargames.my/

Webpage:

supernextgenerationwaf

sql.php page:

hackme

As expected, any sql injection attempt will return error message as below:

sqlinjectionattempt

Nmap result: Noticed that “/*.bak” in robots.txt

Let’s try to see if there is a backup file exist: sql.php.bak -> Yes!! it does exist!!

PHP file source code:

First, I noticed $_REQUEST[‘id’] was sent to filter, but $_GET[‘id’] was sent to the a function. After some research I learnt that $_REQUEST gets values from $_GET, $_POST, $_COOKIE respectively. This is the default order defined in php.ini file and can be changed. [seriously i copy this info from somewhere]

The idea is changing request from GET to POST while keeping the GET parameters in the url. Since $_POST[‘id’] will overwrite $_REQUEST[‘id’] and our $_GET[‘id’] parameter will become free from the filter.

So, to get the flag (+ hint was provided):

 

Flag: wgmy{aumwaf_1z_th3_b3st_w4f}
Credit:
1. https://www.pwndiary.com/write-ups/sec-t-ctf-2017-naughty-ads-write-up-web200/
2. Ramadhan -> improvised my curl request.

[THE END]

This website use cookies to ensure that you have the best experience on this website.