 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
{Help}! Filter Evasion |
 |
 Posted: Sun Dec 20, 2009 5:37 pm |
 |
|
| Injo |
| Regular user |
 |
|
| Joined: Dec 20, 2009 |
| Posts: 7 |
|
|
|
 |
|
 |
|
hello brothers,
i am new at this board and i really interesting in the big and very big database in your minds ....
OK lets say the question:
i have an injectable site with a little bit new method for filtering
when you inject the site by this method for ex.
| Code: | | UNioN SeleCt 1,2,3,4 from admin |
or
| Code: | | Union 1,2,3,4 SeleCt from admin |
or
redirect you to the homepage so there is a filter on union select & select from & union from when putted together
how we can manipulate the server and try to inject the site without being redirected >> how to evade the filter ?
w8ing with hope to be answered thanks .... |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 21, 2009 11:22 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
1. Consider HTTP Parameter Pollution tricks:
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Though I must say, that whitepaper points mainly towards M$ dotnet (aspx) platform.
2. Try comments:
| Code: |
UNION/**/ALL/**/SELECT/**/1,2,3
UNION/*foobar*/ALL/*foobar*/SELECT/*foobar*/1,2,3
|
3. try to determine IPS/WAF type - mod_security, etc.
If filtering works via redirecting, then look for raw HTTP response - there may be explanation somewhere. If you can determine protection system, then you have choice to install it locally and study it @127.0.0.1 |
|
|
|
|
|
thnx |
|
| Posted: Mon Dec 21, 2009 2:43 pm |
|
|
| Injo |
| Regular user |
|
|
| Joined: Dec 20, 2009 |
| Posts: 7 |
|
|
|
|
|
|
|
hello waraxe,
i have started to work at the http header responses but i found nothing until now,
about trying to manipulate the state of the sql injection like using the /**/ & using all, nothing works...
but for trying to guess what is the filter i think it is not waf cause i tried to manipulate it by the common ways of bypassing waf but nothing works 
i am really interesting in your ideas and waiting for you to reply and i'll start reading the pdf you gave me ( thanks mate ) ... w8ing u |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 21, 2009 7:30 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Some thoughts:
1. Anti sql injection filter may be present in database abstraction layer and it can prevent using of UNION,
comments and subselects in database queries.
So try to use subselects instead of union.
2. You can exploit sql injection without UNION and subselects, but you are limited only to the tables, originally manipulated by vulnerable query.
So it all depends of specific point of injection.
For example, if you have sql injection in login script or password retrieve script, which manipulates users table,
then you are able to get data from users table without subselects and
unions and this will bypass WAF/IPS in most cases  |
|
|
|
|
|
really nice |
|
| Posted: Mon Dec 21, 2009 9:12 pm |
|
|
| Injo |
| Regular user |
|
|
| Joined: Dec 20, 2009 |
| Posts: 7 |
|
|
|
|
|
|
|
hello bro,
nice ideas lets take it one by one:
your first idea about injecting by using subselect and if statements doesn't work cause not all servers accept this method of injection and apply it to the the database cause the if statement is not functioning....
do you have some tricks to use if the if statement doesn't work?
for the 2nd interesting idea:
how we can use this method to retrieve info's from tables that are not specified cause the flow is not in a login page or password retrieving script,
can i apply it on the simple injection that i have?
sorry for asking more than one question at a time but as you know i feel that you are an excellent database injector....
w8ing u & thanks for completing with me... |
|
|
|
|
|
|
|
|
| Posted: Tue Dec 22, 2009 10:27 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Sql injection exploitation can affect only tables, that are clearly specified before or
after injection point in query or by injection code itself.
So either you must have sql injection in query, that manipulates right tables or UNION or subselects are needed.
No more ways known to me at this time.
In many cases IF statement is not necessary, but it all varies from case to case.
I must say, that I have been able to make work many very complicated sql injection vulnerabilities, but not always.
Sometimes is better to look fot alternative attack vectors. |
|
|
|
|
|
back! |
|
| Posted: Tue Dec 22, 2009 5:07 pm |
|
|
| Injo |
| Regular user |
|
|
| Joined: Dec 20, 2009 |
| Posts: 7 |
|
|
|
|
|
|
|
hello bro,
aha that's nice thanks for the info's...
bro, i can give you a live example for the situation that i have if you want but really it's hard to put it here, what about sending it in your Pm's,or at your mail,,,
w8ing u to know how i can give u the demo version of this situation... also i can contact u on msn if you want mate to solve this hard situation...
No problem for saying no cause i know you have a lot of work .. w8ing u . |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 67
Members: 0
Total: 67
