Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
WAF/IPS
Posted by: cfx_
Date: October 23, 2012 07:13AM

So there is this site that has WAF. It's kinda different from your usual WAF and not easy to bypass. Whenever you put UNION, SELECT it returns "u n i o n" and "s e l e c t"(it adds spaces which makes 'union' and 'select' useless). It does this only with these 2 words. I tried all kinds of bypass methods and encoding.

An example: index.php?id=-1 union select 1,2,3--

returns: -1 u n i o n s e l e c t 1,2,3--

Has anyone encountered something similar? Any ideas?

Options: ReplyQuote
Re: WAF/IPS
Posted by: Nerder
Date: October 24, 2012 10:29AM

try to use -1 trim(union)%a0+trim(select)+1,2,3--

Options: ReplyQuote
Re: WAF/IPS
Posted by: cfx_
Date: October 25, 2012 02:38PM

It filters the words union,select no matter what. Even if it is something like this
"UYGEYUVFUHEWBnW$%^&YUI(**%%%select%%%%**----^^union^^-----)" it swill still filter the words.

Options: ReplyQuote
Re: WAF/IPS
Date: October 29, 2012 05:53AM

Hello,

I think you can use sql comments. So it would be like:

index.php?id=-1 un/**/ion sel/**/ect 1,2,3--

Regards,
Piotr Bratkowski

www.fail-secure.pl

Options: ReplyQuote
Re: WAF/IPS
Posted by: firestorm
Date: October 30, 2012 12:19AM

interesting...!!!! pls share the link with us... I'l love to bypass it

By the way did u try different encoding ?



Edited 1 time(s). Last edit at 10/30/2012 12:45AM by firestorm.

Options: ReplyQuote
Re: WAF/IPS
Posted by: cfx_
Date: November 11, 2012 10:14PM

Nope, comments not working.

Options: ReplyQuote
Re: WAF/IPS
Posted by: Net_Spy
Date: December 11, 2013 07:01AM

give it a try like

UnIo<>N UnIo--n

Regards
Net_Spy

Options: ReplyQuote


Sorry, only registered users may post in this forum.