In this tutorial I will explain you some of the basics of SQL Injection
filter Evasion, This is the first part of the two of the articles I will
post on SQL Injection filter evasion and bypassing, In this post I am not
gonna teach you Basics of SQL injection, I will assume that you already
know them, because cmon every one talks about it, you will find tons and
tons of posts on forums related to basics of SQL Injection, In this post I
will talk about common methods of used by hackers and pentesters for
evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc.
WebApplication Firewalls:
According to webappsec "Web Application Firewall (WAF): An intermediary
device, sitting between a web-clientand a web server, analyzing OSI Layer-7
messages for violations in the programmedsecurity policy. A web application
firewall is used as a security device protecting theweb server from attack."
Almost all Webapplication firewalls and IDS use Signature based protection,
where they are looking of common inputs such as "'Or 1=1", "Or x=x" etc.
But in my opinion webapplication firewalls are only good for detecting
automated tools and script kiddies. However if the tool you are using for
attacking a SQL Injection vulnerable database is an open source such as
SQLMAP, You can easily modify it to evade a webapplication firewall.
Detecting A WAF:Before learning about bypassing the WAF, You must know how
to detect a Webapplication firewall. There are numerous methods of
detecting if the target website is using a Webapplication firewall.
Prompt Message:
1. If you are attacking a website and you get an error like "Hacking
attempt detected" or "Page not found", you are up against a WAF.
Cookies:
The most common method of detecting a webapplication firewall is by
capturing the http:// request, Lots of WAF's add their own cookie in the
HTTP communication.
Here is a live brazilian website using WAF, The cookie value "WAT" shows
that the target host is using a WAF:
GET /news.asp?PageId=254 HTTP/1.1Host: www.poupex.com.brUser-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12)Accept:
image/png,*/*;q=0.5Accept-Encoding: gzip,deflateKeep-Alive:
300Proxy-Connection: keep-aliveReferer:
http://www.SomeSite.comCookie:ASPSESSIONCWKSPSVLTF=OUESYHFAPQLFMNBTKJHGQGXM;ns_af=xL9sPs2RIJMF5GhtbxSnol+xU0uSx;ns_af_.SomeSite.com_%2F_wat=KXMhOJ7DvSHNDkBAHDwMSNsFHMSFHEmSr?nmEkaen19mlrwBio1/lsrzV810C&
Dotdefender:
If you are up against a Dotdefender you will get the following error
message:
Observing HTTP Response:
If you see a similar http response whenever you make a malicious http
request, you are probably up against a MOD secuirty WAF.
HTTP/1.1 501 Method Not ImplementedDate: Fri, 27 Jun 2008 23:30:54
GMTAllow: TRACEContent-Length: 279Connection: closeContent-Type: text/html;
charset=iso-8859-1http://ws.
WEBAPPLICATION Firewall Evasion:
There are tons and tone of methods to evade a webapplication firewall, Here
is some of them:
1. Comments.
2. Changing Cases.
3. Encoding.
And much more.
Example of a sample IDS and WAF Signature:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection attempt
detected, Your IP has been logged";
flow: to_server, established; content: "' or 1=1 --"; nocase; sid: 1; rev:1;
The above signature is telling WAF that if the attackers inputs the
following content into the webpage "' OR 1=1" display the message "SQL
Injection attempt detected, Your IP has been logged".
Bypassing The Signature:
Such poorly written signatures can be easily bypassed. Think for a second
what if the attacker inputs ' OR 2=2, Isn't 2=2, How about OR 3=3 and so
on. So such poorly written signatures are good for nothing. You can also
add comments in order to bypass more complex signatures, e.g OR 2/**/=/**/2.
Comments:
Comments are one of the most easiest ways to defeat a WAF, As lots of
signatures are not looking for the comments they are just looking for the
malicious keywords.
Union statement against a WAF without comments:
www.site.com/a.php?id=123 union select 1,2,3,4,5-- BLOCKED
Union statement against a WAF with comments:
www.site.com/a.php?id=123 union/*We are bypassing the WAF*/select/*Rafay
Hacking Artcles*/1,2,3,4,5-- ALLOWED
Changing Cases:
Some WAF's don't have any rule or signatures to detect upper cases, Here
are some examples of a union statement with Uppercase.
uNiOn aLl sElEcT
UnIoN aLL SELECT
You can combine uppercase statements with comments for more better results:
www.site.com/a.php?id=123 uNiOn All sEleCt/*We are bypassing the
WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5--
Well I hope you have liked this post, In this post we talked about
detecting a WAF and some basic techniques on evading a webapplication
firewall, However in the next post we will look at some more advanced
techniques such as encoding, whitespaces etc to bypass a webapplication
firewall.
Copy from Rafay hacking articles
0 comments:
Post a Comment