Waffles
Description
You can take over your orders at the Waffle Kiosk. All you need is your order identifier. Can you get every waffles in the database?
https://waffles.secchallenge.crysys.hu/
- Author: Pepe
Solution
0x1 basic information
Based on the title of the challenge, we are facing some kind of WAF, however the task seems simple: Bypass the WAF, inject SQL commands, WIN. On the main page, you can enter an ID, and if you are lucky, you get your order back. Testing some general numbers, we find a valid order easily:
https://waffles.secchallenge.crysys.hu/?id=1337
0x2 exploit
I started fidgeting around with the input, but the WAF seemed to catch everything, so the idea of running some kind of tamper script using sqlmap quickly went out the window. After being stuck with this idea for a while, I started googling and came to this article.
Testing this idea with the following two URLs lead me to the conclusion, this is probably the intended way to solve this challenge:
https://waffles.secchallenge.crysys.hu/?id=1&id=1337
https://waffles.secchallenge.crysys.hu/?id=1337&id=1
Running these queries, we can clearly see, that the second (polluted) parameter is the one that actually is used in our final query. So maybe the WAF is checking the first one, and we can do anything we want with the second? Exactly. From here, we can just automate things with sqlmap and the flag is quickly dumped from the database. (Thank you Pepe for not using a time based SQLi this time).
The acquired flag is:
cd22{HIDDEN}