Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update README.md

Browse source 
Add WAF bypass trick: abusing Prepared Statements
This commit is contained in:
EgiX 2024-11-19 15:39:55 +01:00 committed by GitHub
parent 233c08b779
commit 25862cda9a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
pentesting-web/sql-injection/mysql-injection/README.md
View file

@ -137,6 +137,16 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
## WAF bypass tricks
### Executing queries through Prepared Statements
When stacked queries are allowed, it might be possible to bypass WAFs by assigning to a variable the hex representation of the query you want to execute (by using SET), and then use the PREPARE and EXECUTE MySQL statements to ultimately execute the query. Something like this:
```
0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #
```
For more information please refer to [this blog post](https://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce).
### Information\_schema alternatives
Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_ or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics**