A WAF is a web firewall in order to protect websites against SQL Injections and other critical vulnerabilities. It filters certain malicious requests and/or keywords. Many WAF's are insecure though, they can be bypassed with some of the following methods.
1. Comments
They allow us to bypass alot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in SQL:
//; --; /**/; #; -+; -- -;
2. Case Changing
Some WAF's only filter lowercase attacks, so if we change the case, we could bypass it. Example:
http://example.com/index.php?id=1/**/UnIoN/**/SeLeCt/**/1,2/* <- I also implented comments here.
3. Inline comments
1. Comments
They allow us to bypass alot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in SQL:
//; --; /**/; #; -+; -- -;
2. Case Changing
Some WAF's only filter lowercase attacks, so if we change the case, we could bypass it. Example:
http://example.com/index.php?id=1/**/UnIoN/**/SeLeCt/**/1,2/* <- I also implented comments here.
3. Inline comments
Some WAF's filter key words like /union\sselect/ig We can bypass this filter by using inline comments most of the time, More complex examples will require more advanced approach like adding SQL keywords that will further separate the two words:
id=1/*!UnIoN*/SeLeCT
As you can see, our query is between /*!code*/, so between these characters this query will be executed.
Last words
These methods are the most common used and work almost all the time. There are more, but I won't discuss them here.
0 comments:
Post a Comment