Hi, I’m stuck on this too. Any ideas or tips please? I know how to make the waf start answering nothing, but what next? Thx.
Sorry for bad english.
Hey there!
I thought to apply to a simple web challenge and lost a lot of time till now ahahahah 
Waf, I know how to bypass it, manually.
I simply don’t get it… when the injection is correct I get no output, so how do you get the results?
EDIT: sorry, stupid question, I’ve been soo blind
Hey all,
I think I’ve fallen into the same problem where I can bypass the WAF with my injection BUT I just can’t figure out how to retrieve the results from the server.
Any help would be greatly appreciated
finally able to complete this challenge after more than 4 weeks of working on it. if you are stuck, I will let you know a very important hint: a certain result can be obtained with ping.exe. this may give too much away so hopefully the janitors do not censor as spoiler.
Easy and cool,
The slowness is normal… It’s based on the blind technique used!
Anyone who will help me a bit? I think I have found a way to bypass the thing (pretty easily seen from the code provided)and made a custom t***** script for s***** but for some reason it does not work, I tried to use basic blind techniques, but it just won’t work. I really believe that this en****** is what everyone have been talking about. Anyone who can get on to PM? I have wasted lot of time already
got the flag, it was fun
can some provide a clue as to how to use THE tool to actually get a connection to the page and do its thing. Able to do it with other scripting means, but still cant get THE tool to do it.
Hello, everybody!
I’ve been stuck in this challenge for quite a few days,i think i’m dying for overthinking.
Can anybody give me a hint?
I’ve tried everything…or so I think, I’ve put sp together with b s*** as a proxy to change the request content-type and charset as well as try a time based attack.
I’ve even put a local mirror environment to be able to debug the code but I don’t know… I don’t know if I’m not being able to bypass the WAF or maybe I’m launching the command with wrong arguments…
I have seen that it is necessary to look for that it gives you different answers depending on the payload, but it gives me undefined in all request i made 
I even got to lateral thinking and read the description of the challenge and thought that maybe the user value was the name of the classmate (Jason)
Very tricky all… but no, WAF detects ‘as’ T_T
Thanks to all of you!
Could anybody give me a help? Thanks in advance for help me 
I use c…l with e…e jason, i bypass the waf but i don’t get the flag. Help please!!!
I bypassed the waf pretty fast by testing locally on a modified script, half way there couldn’t go to sleep… In the end I took what i learned and used the help of a tool to map it out, had to tamper with the data a bit, same as by hand.
hi folks, what kind of SQL query string can SQL accept? can they accept url encoded string?
Hints:
- No tool is really needed, if you like scripting
- What you don’t see is really what you want to see
- I can sware to an english policeman in italian, getting away with it
Hi all, I am pretty sure I am on the right track but am having trouble getting the tool and a script to work- would appreciate if someone would PM me to see if I’m working in the right direction.
edit: the tool came through right after I posted this. Good challenge, fun thinking through it 
I’m pretty sure that I have figured out how to get around the preg_match_all, but I am unable to figure out how to get any response from the server.
Can someone possibly dm me with a hint for how to do it?
Can I get a nudge on this ? PM me please
After going down a few rabbit holes I greatly simplified my approach which ended up working. I didn’t need to proxy anything or create any custom scripts. sp has all the functionality you need although I did have it read from a file I exported from b, which just made the syntax easier. Definitely don’t overcomplicate it. Play around manually first to find out how to avoid the WAF and then find the t***** script included with s***p that corresponds to your approach.
Solved this task using a custom t***** script. And, well, it took an eternity to retrieve a flag. DM me if you need help.
used various t***** s****** with s*p which bypass waf via P request but still user parameter is not injectable. also i am having difficulty to understand that how would the resultant query work as the resultant syntax is not acceptable when tried locally
(edit):by passed waf without t***** s******. understand the problem now