CyberTalents — CatchMomen(Web Security) Writeup
When you open the web page you will see a normal company website but let’s try to login
go to http://3.126.138.80/catch/login.php
let’s looking at the source code I found a credential which maybe will allow me to login but it is not working.
it gives me an error message ‘User not found’
so maybe sql injection , let’s try to do it just open up Burp Suite and move on to brute force on this login page you can use this link :
https://github.com/payloadbox/sql-injection-payload-list and try to brute force with Burp Suite
as we can see there’s a WAF that blocking some payloads
WAF Bypass
Let’s enter a normal SQL query like this:
uname=GG_Homie!&pass=GG_Homie!'+OR+1=1+#it blocked. let’s add something different. let’s first start by this:
uname=GG_Homie!&pass=GG_Homie!'+The WAF accepts the payload, let’s continue and add ORto it:
ORis blocked but we know that OR= ||
we can now use || instead of OR
And bypass The WAF
Let’s continue our payload and 1=1 to be able to login.
But it’s also Blocked
I tried 4!=2 which should be treated as true and I was able to get the flag
