Webhackingkr Pro Fix

Dec 27, 2014 • Guilherme Lampert

Webhackingkr Pro Fix

Title: The Corrupted Ledger

Context: You're a junior security analyst at a shady offshore data brokerage. One night, an automated alert flags a broken internal tool: "Legacy Payment Fixer." The dev who built it vanished. Your boss slides a sticky note across the table: "Fix the pro interface. Now."

You open the link. A barebones HTML page stares back:
Enter payment ID: [input box] [Fix It] button.

You try 1. Response: Fixed: 1 → 1 (boring).
You try '. Response: error near ''1''' – classic SQL error. The backend is doing something like UPDATE payments SET status='fixed' WHERE id='$id'.

But the challenge is called "pro fix" – meaning the fix itself is the vulnerability.

First discovery: You try 1; DROP TABLE payments; -- – error, no multi-query. MySQL with mysql_query() in PHP? That doesn't allow stacked queries. So how to exploit?

You notice the Fixed: X → Y output. After testing 1 AND 1=1, the output is Fixed: 1 → 1. 1 AND 1=0Fixed: 1 → (empty). Aha – the second number is the result of an UPDATE … RETURNING? No, MySQL doesn't have that. But the page is echoing back the old value and the new value. So it must be doing a SELECT after the update.

You craft a payload:

1, (SELECT password FROM admin WHERE id=1)) --

The page returns: Fixed: 1 → real_admin_hash. Bingo – blind injection via the second field.

But there's a twist: The real flag isn't in the DB – it's in the fix logic. You find a second parameter hidden in a POST variable mode=debug. Adding that reveals the raw query:

UPDATE payments SET status='fixed', debug_note='fixed by user' WHERE id='$id'

The debug_note column is writable. And it gets displayed back unsanitized.

Final exploit:
id=1', debug_note=(SELECT flag FROM flag_table WHERE id=1)) --

Submit → Fixed: 1 → FLAGpro_fix_means_exploit_the_fixer webhackingkr pro fix

You copy the flag, close the laptop, and slide the sticky note back to your boss.
He nods. No "thank you." Just: "Patch it before morning."

Takeaway: "Pro fix" means the fix itself (the debug note feature) became the injection point. The story teaches:

  • Always sanitize all reflected fields.
  • Don't trust UPDATE queries that echo user-controlled columns.
  • Sometimes the "fix" is the flaw.

Title

Quick Fixes for Common webhackingkr Pro Issues

Abstract

This paper explores the techniques required to solve advanced web exploitation challenges, specifically focusing on scenarios where the user is granted the ability to "fix" or manipulate server-side logic. In platforms like Webhacking.kr, "Pro" or "Fix" themed challenges often require the attacker to analyze PHP source code, identify logical flaws, and inject specific payloads to alter control flow. This document details the methodology for Source Code Inspection, Input Validation Bypass, and Boolean Logic Exploitation.

Fix C: Parameter Padding

Blank pages often occur when a required $_GET or $_POST parameter is missing but not checked. Look at the URL pattern of working challenges. If the broken challenge typically has ?no=1 or ?idx=0 in its URL, try adding ?reset=1 or ?init=1.

Real-world example from WebHackingKR Pro (Old Challenge #8): The page goes blank if ?mode=1 is not set. The fix is simply:

https://webhacking.kr/pro/challenge8.php?mode=1

Final Verdict

| Pros | Cons | |------|------| | ✅ Unlocks advanced challenges | ❌ Unofficial, no support | | ✅ Quick and free | ❌ Session resets often | | ✅ Teaches cookie manipulation (a real pentesting skill) | ❌ May confuse absolute beginners | Title: The Corrupted Ledger Context: You're a junior

Score: 8/10 for functionality.
Deducted 2 points because the need for a "fix" indicates a broken legacy system. Webhacking.kr is an excellent learning platform, but the Pro access issue remains an unnecessary hurdle. If you’re comfortable with browser dev tools, apply the fix and enjoy the challenges. If you want a seamless experience, consider newer platforms like Dreamhack.io or PortSwigger Web Security Academy instead.

Recommendation: Try the cookie fix, but don't spend more than 10 minutes on it. If it fails, move to another wargame site—your time is better spent actually hacking than fixing broken session handlers.

Solving the "PRO" Challenge: The Ultimate Webhacking.kr Fix The PRO challenge on Webhacking.kr is widely regarded as one of the most prestigious hurdles on the platform, boasting a significant point value (400 points) and a relatively low solve count compared to the "Old" challenge series. For security enthusiasts, achieving a "fix" or solution for this level is a rite of passage into advanced web exploitation. 1. Understanding the PRO Challenge Environment

Unlike the introductory levels that focus on basic cookie manipulation or simple SQL injections, the PRO challenge typically involves a more complex interaction of vulnerabilities.

Target Vulnerability: It often revolves around sophisticated SQL Injection (SQLi) or Cross-Site Scripting (XSS) filters that require creative bypass techniques.

Modern Restrictions: Many solutions that worked on older PHP versions (like null-byte injections) are ineffective here because the platform uses updated server environments. 2. Common Obstacles and "Fixes"

When attempting to "fix" your approach to the PRO challenge, consider these common technical bottlenecks and their corresponding solutions: A. Bypassing Strict Input Filtering Takeaway: "Pro fix" means the fix itself (the

Webhacking.kr frequently uses str_replace() or regex to strip common attack strings like union, select, or