Fun sql injection — mod_security bypass

In this writing I would like to show you a somewhat peculiar case with which I came across testing a website.

This is an sql injection where I could bypass the “mod_security” waf.
When I start the sql injection test I realize that the website is using that waf.

We get the error when using a simple:

site/ejemplo?parameter=-1+union+selec+1,2,3,4,5,6,7+--+

Now, I’m not going to lie to you, just by encoding the payload with comments, I was able to bypass the waf filter.

site/ejemplo?parameter=-1+/*!50000union*/+/*!50000selec*/+1,2,3,4,5,6,7+--+

We can see that one of the vulnerable columns is number four.

But like all a lover of sql injections I decided not to leave it like that and try other methods, other payloads .. After many tests and failed mixed payloads.

I ended up trying this:

AND mod(29,9)+div+@a:=(concat(database(),"--","_Y000!_"))+UNION+DISTINCTROW+SELECT+1,2,3,@a,5,6,7

Now what is this all about?

we have:

"AND" = The AND operator returns a record if all conditions separated by AND are TRUE.
"mod(29,9)" = The mod function is to make a…