"PRO" challenge Webhacking.kr is a high-difficulty task (valued at 400 points) that involves bypassing advanced administrative filters and security configurations. It typically requires a deep understanding of PHP-based filtering session management WAF (Web Application Firewall) bypass techniques. Challenge Overview Challenge Name Core Concepts : PHP filter bypass, admin authentication, WAF evasion. Analysis & Methodology
The challenge presents a portal where administrative access is required to retrieve the flag. Directly attempting to login as
is usually blocked by a script that filters specific keywords. 1. Identifying the Filter Typically, the application uses functions like preg_match()
or custom blacklists to prevent the use of the word "admin" in GET or POST parameters. Common PHP Filter (preg_match( Use code with caution. Copied to clipboard 2. Bypassing with Double URL Encoding If the script utilizes urldecode()
the filter check, you can bypass it using double URL encoding. Single Encode right arrow %61%64%6d%69%6e (often still caught by the filter). Double Encode . The string %2561%2564%256d%2569%256e
: The browser automatically decodes the first layer (sending webhackingkr pro hot
to the server), which passes the filter because it doesn't literally say "admin." The PHP urldecode() then converts , granting access. 3. Advanced Session & Cookie Manipulation
Higher-tier challenges like "PRO" often involve more than simple keyword filters. Remote Address Replacement : Some challenges check your IP against . If the script extracts values from , you can sometimes overwrite internal variables like $REMOTE_ADDR via a custom cookie. WAF Evasion
: Using specialized tools or manual payload crafting to find inconsistencies between how a WAF and the back-end PHP interpreter parse URLs. Final Execution To solve this type of challenge: Webhacking.kr write-up: old-26 - Planet DesKel
If you find a parameter that behaves differently with ' and '':
sleep is blocked):
BENCHMARK(1000000,MD5('a')) (MySQL)(SELECT count(*) FROM information_schema.columns A, information_schema.columns B)' OR IF(ASCII(SUBSTR((SELECT flag FROM flag_table),1,1)) > 64, BENCHMARK(5000000,MD5('x')), 0) -- -
timeout detection.Pro tip: Use --technique=T in SQLmap only after manual confirmation, then study its payloads. "PRO" challenge Webhacking
You can solve this easily using the browser's Developer Console (F12 -> Console).
"ABCDE...".String.fromCharCode(user_input.charCodeAt(i) + 2) implies the offset is +2.Run this script in your console:
// 1. Paste the target string found in the source code here: var target = "PASTE_TARGET_STRING_HERE";// 2. Set the offset found in the loop (e.g., if code is +4, put -4) var offset = -1; // Adjust this value based on the specific challenge logic
var solution = ""; for (var i = 0; i < target.length; i++) // Reverse the operation solution += String.fromCharCode(target.charCodeAt(i) + offset);
console.log("The password is: " + solution);Confirm injection with time‑based (if sleep is blocked):
/**/, %09, %0a, %0c, %0d, parenthesesor/and → ||, &&, xor, ^= → like, in, <>, regexpsleep → heavy queries, WAITFOR DELAY (MSSQL), pg_sleep (PostgreSQL), recursive CTEsselect/union → case variation, double encoding, SeLecT (if no case‑sensitive check), or use JSON functionsSome Pro challenges don’t show source code directly. But you can often leak it via:
view-source:phps extension~, .bak, .swp)php://filterRecruiters from top Korean tech companies (Kakao, Naver, Samsung SDS) often look at WebHackingKR rankings. While having a high overall rank is good, being able to articulate a solution to a "Pro Hot" challenge during an interview is gold.
It demonstrates: