mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
Update README.md
Add WAF bypass trick: abusing Prepared Statements
This commit is contained in:
parent
233c08b779
commit
25862cda9a
1 changed files with 10 additions and 0 deletions
|
@ -137,6 +137,16 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
|||
|
||||
## WAF bypass tricks
|
||||
|
||||
### Executing queries through Prepared Statements
|
||||
|
||||
When stacked queries are allowed, it might be possible to bypass WAFs by assigning to a variable the hex representation of the query you want to execute (by using SET), and then use the PREPARE and EXECUTE MySQL statements to ultimately execute the query. Something like this:
|
||||
|
||||
```
|
||||
0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #
|
||||
```
|
||||
|
||||
For more information please refer to [this blog post](https://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce).
|
||||
|
||||
### Information\_schema alternatives
|
||||
|
||||
Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_ or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics**
|
||||
|
|
Loading…
Reference in a new issue