Waraxe IT Security Portal
Login or Register
July 14, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 202
Members: 0
Total: 202
Full disclosure
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
SEC Consult SA-20240620-0 :: Arbitrary File Upload in edu-sharing (metaVentis GmbH)
Zip Slip meets Artifactory: A Bug Bounty Story
Backdoor.Win32.Plugx / Insecure Permissions
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> {Help}! Filter Evasion
Post new topicReply to topic View previous topic :: View next topic
{Help}! Filter Evasion
PostPosted: Sun Dec 20, 2009 5:37 pm Reply with quote
Injo
Regular user
Regular user
Joined: Dec 20, 2009
Posts: 7




hello brothers,
i am new at this board and i really interesting in the big and very big database in your minds ....
OK lets say the question:
i have an injectable site with a little bit new method for filtering
when you inject the site by this method for ex.
Code:
UNioN SeleCt 1,2,3,4 from admin

or
Code:
Union 1,2,3,4 SeleCt from admin

or
Code:
union select

redirect you to the homepage so there is a filter on union select & select from & union from when putted together
how we can manipulate the server and try to inject the site without being redirected >> how to evade the filter ?
w8ing with hope to be answered thanks ....
View user's profile Send private message
PostPosted: Mon Dec 21, 2009 11:22 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. Consider HTTP Parameter Pollution tricks:

http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

Though I must say, that whitepaper points mainly towards M$ dotnet (aspx) platform.

2. Try comments:

Code:

UNION/**/ALL/**/SELECT/**/1,2,3
UNION/*foobar*/ALL/*foobar*/SELECT/*foobar*/1,2,3


3. try to determine IPS/WAF type - mod_security, etc.
If filtering works via redirecting, then look for raw HTTP response - there may be explanation somewhere. If you can determine protection system, then you have choice to install it locally and study it @127.0.0.1
View user's profile Send private message Send e-mail Visit poster's website
thnx
PostPosted: Mon Dec 21, 2009 2:43 pm Reply with quote
Injo
Regular user
Regular user
Joined: Dec 20, 2009
Posts: 7




hello waraxe,
i have started to work at the http header responses but i found nothing until now,
about trying to manipulate the state of the sql injection like using the /**/ & using all, nothing works...
but for trying to guess what is the filter i think it is not waf cause i tried to manipulate it by the common ways of bypassing waf but nothing works Sad

i am really interesting in your ideas and waiting for you to reply and i'll start reading the pdf you gave me ( thanks mate ) ... w8ing u
View user's profile Send private message
PostPosted: Mon Dec 21, 2009 7:30 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Some thoughts:

1. Anti sql injection filter may be present in database abstraction layer and it can prevent using of UNION,
comments and subselects in database queries.
So try to use subselects instead of union.
2. You can exploit sql injection without UNION and subselects, but you are limited only to the tables, originally manipulated by vulnerable query.
So it all depends of specific point of injection.
For example, if you have sql injection in login script or password retrieve script, which manipulates users table,
then you are able to get data from users table without subselects and
unions and this will bypass WAF/IPS in most cases Smile
View user's profile Send private message Send e-mail Visit poster's website
really nice
PostPosted: Mon Dec 21, 2009 9:12 pm Reply with quote
Injo
Regular user
Regular user
Joined: Dec 20, 2009
Posts: 7




hello bro,
nice ideas lets take it one by one:
your first idea about injecting by using subselect and if statements doesn't work cause not all servers accept this method of injection and apply it to the the database cause the if statement is not functioning....
do you have some tricks to use if the if statement doesn't work?
for the 2nd interesting idea:
how we can use this method to retrieve info's from tables that are not specified cause the flow is not in a login page or password retrieving script,
can i apply it on the simple injection that i have?
sorry for asking more than one question at a time but as you know i feel that you are an excellent database injector....
w8ing u & thanks for completing with me... Smile
View user's profile Send private message
PostPosted: Tue Dec 22, 2009 10:27 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Sql injection exploitation can affect only tables, that are clearly specified before or
after injection point in query or by injection code itself.
So either you must have sql injection in query, that manipulates right tables or UNION or subselects are needed.
No more ways known to me at this time.
In many cases IF statement is not necessary, but it all varies from case to case.
I must say, that I have been able to make work many very complicated sql injection vulnerabilities, but not always.
Sometimes is better to look fot alternative attack vectors.
View user's profile Send private message Send e-mail Visit poster's website
back!
PostPosted: Tue Dec 22, 2009 5:07 pm Reply with quote
Injo
Regular user
Regular user
Joined: Dec 20, 2009
Posts: 7




hello bro,
aha that's nice thanks for the info's...
bro, i can give you a live example for the situation that i have if you want but really it's hard to put it here, what about sending it in your Pm's,or at your mail,,,
w8ing u to know how i can give u the demo version of this situation... also i can contact u on msn if you want mate to solve this hard situation...
No problem for saying no cause i know you have a lot of work .. w8ing u .
View user's profile Send private message
{Help}! Filter Evasion
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.126 Seconds