[Honeypot] Challenge
#1
I am having some difficulties injecting the following site: http://businessbox.ml/. I am having problems getting the username and password, possibly due to a WAF. Seems like the username field can be injected but not the password field. 

Could some experienced injectors provide some insight? Much thanks!
Reply
#2
What are you getting stuck on specifically? What type of injection are you attempting? What have you tried so far? Have you used fuzzers? Manual testing? I don't mind personal army threads but some details would be helpful.
Reply
#3
(11-20-2016, 09:27 AM)SciencePower Wrote: I am having some difficulties injecting the following site: http://businessbox.ml/. I am having problems getting the username and password, possibly due to a WAF. Seems like the username field can be injected but not the password field. 

Could some experienced injectors provide some insight? Much thanks!

What makes you say it's a WAF? Is there a specific error you're getting?
It should be noted that SQL injection doesn't work on everything just because it uses PHP and MySQL.
Reply
#4
(11-21-2016, 06:17 AM)NO-OP Wrote:
(11-20-2016, 09:27 AM)SciencePower Wrote: I am having some difficulties injecting the following site: http://businessbox.ml/. I am having problems getting the username and password, possibly due to a WAF. Seems like the username field can be injected but not the password field. 

Could some experienced injectors provide some insight? Much thanks!

What makes you say it's a WAF?  Is there a specific error you're getting?
It should be noted that SQL injection doesn't work on everything just because it uses PHP and MySQL.

PHP Code:
http://businessbox.ml/auth.php?username=n00b%27%20union%20select%20version(),null,null,null,null,null--&password=crack&submit=Submit 

Do you see now?  but i can't get any further then this.
Reply
#5
You can use SQLMAP to check for a WAF and what WAF it is. by adding this into the syntax:

Code:
--check-waf

Then if it says it mod security, you can use the tamper bypass script for mod security:

Code:
--tamper="modsecurityzeroversioned,modsecurityversioned"
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Exchange Server Honeypot Set-up Resources? ironman0x23 0 2,636 09-02-2021, 04:49 PM
Last Post: ironman0x23