Possibly Related Threads…

LOOOP · 02-03-2024, 01:03 PM

Hey, BF new challenge is here

paven · 02-03-2024, 02:11 PM

Link - https://app.hackthebox.com/challenges/0xboverchunked

antigoth · 02-04-2024, 09:40 AM

Working on it, I figured out you can bypass the waf.php filter to circumvent "OR" by doing "o+r" .
the flag is obivously at id=6 from reading the code which is blocked

it doesn't see 5 + 1 as 6 though, just an invalid ID

peRd1 · (This post was last modified: 02-04-2024, 11:51 AM by peRd1.)

It can be done with a very well formulated sqlmap query as well. Just don't forget about the flags, level, risk, random agent, etc.

And think about which endpoint, what you want to search for, and dump that shit.

It's going to find some injection parameter that can be abused of course...

cavour13 · 02-05-2024, 06:01 PM

I read all the code but i couldn't bypass waf ! tried also with sqlmap -r req{http post request `Controllers/Handlers/SearchHandler.php`} with --level 5 --risk 3 --dump

xa6 · 02-07-2024, 09:41 AM

sqlmap is unintended afaik

dhzzz · 02-07-2024, 04:10 PM

6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

Steward · 02-08-2024, 06:54 PM

(02-07-2024, 04:10 PM)dhzzz Wrote: 6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

how could you dump anything with the request that contains quote?
you should get response "SQL Injection attempt identified and prevented by WAF!" because your request contains '

dhzzz · 02-09-2024, 05:17 PM

(02-08-2024, 06:54 PM)Steward Wrote:
(02-07-2024, 04:10 PM)dhzzz Wrote: 6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

how could you dump anything with the request that contains quote?
you should get response "SQL Injection attempt identified and prevented by WAF!" because your request contains '

Transfer-Encoding: chunked

isac37M · 02-09-2024, 08:48 PM

(02-09-2024, 05:17 PM)dhzzz Wrote:
(02-08-2024, 06:54 PM)Steward Wrote:
(02-07-2024, 04:10 PM)dhzzz Wrote: 6' AND CASE WHEN gamedesc LIKE 'HTB{%}' THEN 1 ELSE load_extension(1) END -- -

I dumped the flag with this sqli but its not case sensitive, REGEXP and COLLATE doens't seems to work...

how could you dump anything with the request that contains quote?
you should get response "SQL Injection attempt identified and prevented by WAF!" because your request contains '

Transfer-Encoding: chunked

It's giving me internal server error. Any idea?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	360	88,710	03-28-2026, 09:28 AM Last Post: catsweet
	[FREE] HTB-ProLabs APTLABS Just Flags	kewlsunny	23	2,348	03-28-2026, 03:30 AM Last Post: lulaladrow
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,490	03-27-2026, 07:22 PM Last Post: stn
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	HTB - ALL Challenges you Stuck in	osamy7593	2	646	03-27-2026, 04:24 PM Last Post: catsweet