OK, so I showed you how to
perform some basic SQLi previously,
but there will be times that it starts off working and then you find yourself
facing a FORBIDDEN page (403 Error) or Not Acceptable. Typically you can find the vulnerable
page, find the column count and then when you switch to use the UNION SELECT
statement you get the errors starting up. This is typically due to the server
side rules that are filtering out your request. This is often referred to as
the Web Application Firewall or WAF, but don’t worry as there are ways we can
beat them. You can get pretty creative with the methods used but for now I will
show how to use comments to bypass the filters, sometimes referred to as inline
comments or C comments.
Double
Query
Works exactly the same as error based injection but, the Error Based Query will
be doubled as a single query statement.
So that we again successfully get an error message.
Determine when we should use error or double query Injection.
you switch over to union select statements the page then returns an error saying something like:
Case 1:
The Used Select Statements Have Different Number Of Columns.
Case 2:
Unknown column 1;
Case 3:
Nothing returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.
Error Based
By injecting a specific query, i will show you this later in the tutorial. We
get an error message returning in the page.
This msg actually gives us sensitive database information. That's why we call
this error based SQL injection.
Determine
when we should use error or double query Injection.
you switch over to union select statements the page then returns an error
saying something like:
Case 1:
The
Used Select Statements Have Different Number Of Columns.
Case
2:
Unknown
column 1;
Case
3:
Nothing
returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.
########################################################
#
Exploit Title : Mybb Ajaxfs
Plugin Sql Injection vulnerability
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2
# Security Risk : High
# Tested on : Linux
# Dork : inurl:ajaxfs.php
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2
# Security Risk : High
# Tested on : Linux
# Dork : inurl:ajaxfs.php
########################################################
Details
+++++++++++++++++++++++++++++++++++++++++++++
Product : PrettyPhoto Plugin
Security-Risk : Moderate
Remote-Exploit : yes
Company : RHAINFOSEC
Website : http://services.rafayhackingarticles.net
Vendor-URL : https://github.com/scaron/prettyphoto
Vendor-Status : informed
Advisory-Status : published
+++++++++++++++++++++++++++++++++++++++++++++
Product : PrettyPhoto Plugin
Security-Risk : Moderate
Remote-Exploit : yes
Company : RHAINFOSEC
Website : http://services.rafayhackingarticles.net
Vendor-URL : https://github.com/scaron/prettyphoto
Vendor-Status : informed
Advisory-Status : published