Error based SQL Injection with WAF bypass manual Exploit 100%
Hey folks,
Back again with SQL injection WAF bypass write-up, I’m gonna share what methodology I used to bypass the WAF block.
This is an old bug bounty program at h1 like my previous write-up about reading robots.txt
The difference here is this is a collaboration with my Best Hacker @0x__4m We had great time together and reported it at his h1 account, Looking forward to Hunt together again
Hands On
Don’t be surprised when you hear that this finding at the main domain of old program, Different here is we don’t use Scanners like Accunitx and SQLmap and other “Spray and Pray” Payloads, Because the program was a Pentest project one day and they used this tools before for sure!
Picking Function
So after good recon you should play around the functions so for sure the first function you can take a look is the sign in So I got my coffee and was ready to Break it
lets Play around some functions that send queries to the Database, Login does for sure so lets take a look.
It takes my data and send it with POST request.
So I intercept the request and sent it to the repeater, Here I’m sorry that I can’t provide detailed screenshots for each step from my end cause the program applied the fix after 2 hours before the triage team! Actually I got surprised!
So now what we have here?
As a normal approach for SQL query you need to break it at first with Single quote or Double quote, Here we are doing BlackBox Pentesting so injected it with this value
email=qaramany'
Just was the last line of the request and if you look at response length As you can see we got this error at line 4173 so I just searched for this error to got more information about the Database which I'm interacting with.
Googling it so fast and got this good article from OWASP
Now We have Error based SQL Injection with MS-SQL database but Unlucky We couldn’t find any Exploit with The normal scanners like Burp scanner , Accunitx and SQLmap with high level and high risk also for long hours running it but Found nothing!
because we have here an aggressive Filter for Some Keywords like “ select” or “ order by” and this means “+select” maybe filtered in my case and returns 500 WAF Error ,After more than 50 repeater tabs, Finally I figured out how the WAF logic work and when I get block
I just start staring at the response and found my name reflected like the previous photo when I typed “qaramany” it reflected in the response so If I couldn’t exploit it with tools, No problems I just opened all my cheat sheets, WAF bypass techniques
So couldn’t inject a “select” or “order by” or “group by” I or any alternative Error-based vectors just to get the idea here you should understand my case is when you inject Queries containing mentioned expressions are usually blocked by WAFs.
As a bypass Concatenate a string using the %2b character. The %2B is the code for +
So use it with the result of specific function calls that trigger a data type conversion error on sought-after data.
We can now bypass it with some functions.
Some examples of such functions :
- SUSER_NAME()
- USER_NAME()
- PERMISSIONS()
- DB_NAME()
- FILE_NAME()
- TYPE_NAME()
- COL_NAME()
Payload :
qaramany'%2buser_name(@@version)--so this payload just got me the version of the database- qaramany : my name hahahahaha
- ‘ : single quote that trigger the error
- %2b : is the code for +
- user_name() : function calls that trigger a data type conversion error on sought-after data
Sometimes we got 500 errors so t based on the same approach Created this Payload
qaramany'%2buser_name(convert(int,(SYSTEM_USER)))--This bypassed the WAF for getting The SYSTEM_USER
Some of my other POC that I sent it is :
qaramany’%2buser_name(convert(int,(SESSION_USER))) —
qaramany’%2buser_name(UPPER(‘sql+tutorial+is+fun!’)) —
qaramany’%2buser_name(IIF(5=4,+’YES’,+’HackedBy_c0nqr0r&0x4m’)) —
qaramany’%2buser_name(convert(int,(db_name()))) —I’m finished Here ,Hope you enjoyed reading it
Thanks for Reading 3>
Don’t Forget to follow us at twitter
See You Soon
