• XSS.stack #1 – первый литературный журнал от юзеров форума

HELP: I don't know how to exploit the SQLi I found in an admin panel (contains CDF WAF)

Отслеживать
Niteks3

Niteks3

HDD-drive
Забанен
Регистрация
05.11.2018
Сообщения
48
Реакции
8
Пожалуйста, обратите внимание, что пользователь заблокирован
I've tried everything. I have information on the target machine, I've tried Cloudflare WAF bypass and alternative SQL commands. My goal is to get rid of the database. It's not possible to scrap the information because the maximum user returned is 1200, even though there are more with those words. The vulnerable search request is not XHR, i.e. the page is refreshed and php returns the data.

More details

- All the information about the Target Machine and its Structure: https://files.offshore.cat/jHIKW6UD.png

1. I tried to search “Edineide” and it searched normally, these were the results: https://files.offshore.cat/X9qqqF5L.png
2. I tried searching for just one ' (just one quotation mark), and it returned this: https://files.offshore.cat/p56pPzLs.png
3. Seeing that I was vulnerable, I tried searching “OR 1=1” and it returned the CF WAF error: https://files.offshore.cat/jWTmFc4X.png
4. I wanted to try a longer command, but the input had a limit, so I inspected the element by changing the maxLength value: https://files.offshore.cat/k2VOwhT5.png
5. When I ran the command, it again returned the CF WAF: https://files.offshore.cat/lpLJ53sW.png

Command:

(select(@x)from(select(@x:=''),
(select(1)from(information_schema.columns)
where(@x)in(@x:=concat(@x,table_name,0x3a,
column_name,0x3c62723e))))a)

6. I tried to code my command to bypass the CF WAF, but before returning, the server checks the amount of input, where the maximum is 50. They rejected our request: https://files.offshore.cat/sdGvOZnu.png

7. I tried smaller critical commands but when they were no longer than 50 characters, they were blocked by the WAF and when I managed to get around it, it returned the usual admin page with the message “No records found in the table” (https://files.offshore.cat/nlCCmn8f.png), that sinister error screen (https://files.offshore.cat/p56pPzLs.png) or it returned all the users, but only 1200 from the database, which is the maximum that php was configured to return.

I don't know what else to do, what to test, I'm in the dark. My only goal is to get access to the machine and/or dump the database. It seems so close but at the same time so far away... It's a strong feeling of helplessness, haha
 
Эрмано сказал(а):
u tried sqlmap?
Cloudflare WAF would most likely block it.

You can try to use different headers/ User Agent with it and limit the request rate and see how that works for you. It might be a slow and tedious process but it will get you what you are looking for.

Also another way would be to write a simle python script to query the amount of results you can legitimately without triggering the WAF block, wait a certain time and query the next set. Again, a bit time consuming, but patience will get you what you are looking for, I would put that script to use on a VPS and keep it running and see how it wades. But important thing is for you to test out the limit it allows and the cool off time period before you can make that request again, so test it out on a vpn first, see how many requests you can make before it blocks that IP and once you have the right parameters, set up your script to do the job for you.

Also, I could be wrong too but just my two cents.
 
molotov477 сказал(а):
Cloudflare WAF would most likely block it.

You can try to use different headers/ User Agent with it and limit the request rate and see how that works for you. It might be a slow and tedious process but it will get you what you are looking for.

Also another way would be to write a simle python script to query the amount of results you can legitimately without triggering the WAF block, wait a certain time and query the next set. Again, a bit time consuming, but patience will get you what you are looking for, I would put that script to use on a VPS and keep it running and see how it wades. But important thing is for you to test out the limit it allows and the cool off time period before you can make that request again, so test it out on a vpn first, see how many requests you can make before it blocks that IP and once you have the right parameters, set up your script to do the job for you.

Also, I could be wrong too but just my two cents.
use tampers for waf bypass in sqlmap
 
molotov477 сказал(а):
Cloudflare WAF would most likely block it.

You can try to use different headers/ User Agent with it and limit the request rate and see how that works for you. It might be a slow and tedious process but it will get you what you are looking for.

Also another way would be to write a simle python script to query the amount of results you can legitimately without triggering the WAF block, wait a certain time and query the next set. Again, a bit time consuming, but patience will get you what you are looking for, I would put that script to use on a VPS and keep it running and see how it wades. But important thing is for you to test out the limit it allows and the cool off time period before you can make that request again, so test it out on a vpn first, see how many requests you can make before it blocks that IP and once you have the right parameters, set up your script to do the job for you.

Also, I could be wrong too but just my two cents.
yeah, but he can use --tamper or --hex etc.
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх