CyberTalents — CatchMomen(Web Security) Writeup

When you open the web page you will see a normal company website but let’s try to login

go to http://3.126.138.80/catch/login.php

/login.php

let’s looking at the source code I found a credential which maybe will allow me to login but it is not working.

it gives me an error message ‘User not found’

so maybe sql injection , let’s try to do it just open up Burp Suite and move on to brute force on this login page you can use this link :

https://github.com/payloadbox/sql-injection-payload-list and try to brute force with Burp Suite

as we can see there’s a WAF that blocking some payloads

WAF Bypass

Let’s enter a normal SQL query like this:

uname=GG_Homie!&pass=GG_Homie!'+OR+1=1+#

it blocked. let’s add something different. let’s first start by this:

uname=GG_Homie!&pass=GG_Homie!'+

The WAF accepts the payload, let’s continue and add ORto it:

ORis blocked but we know that OR= ||

we can now use || instead of OR

And bypass The WAF

Let’s continue our payload and 1=1 to be able to login.

But it’s also Blocked

I tried 4!=2 which should be treated as true and I was able to get the flag

Flag: FLAG{D0nt_Try_T0_3sc@b3_Fr0m_M3}