In this tutorial I will explain you some of the basics of SQL Injection
filter Evasion, This is the first part of the two of the articles I will
post on SQL Injection filter evasion and bypassing, In this post I am
not gonna teach you Basics of SQL injection, I will assume that
you already know them, because cmon every one talks about it, you will
find tons and tons of posts on forums related to basics of SQL
Injection, In this post I will talk about common methods of used by
hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity,
dotdefender etc.
WebApplication Firewalls:
According to webappsec "Web Application Firewall
(WAF): An intermediary device, sitting between a web-clientand a web
server, analyzing OSI Layer-7 messages for violations in the
programmedsecurity policy. A web application firewall is used as a security device protecting theweb server from attack."
Almost all Webapplication firewalls and IDS use Signature based protection, where they are looking of common inputs such as "'Or 1=1", "Or x=x" etc.
But in my opinion webapplication firewalls are only good for detecting
automated tools and script kiddies. However if the tool you are using
for attacking a SQL Injection vulnerable database is an open source such
as SQLMAP, You can easily modify it to evade a webapplication firewall.
Detecting A WAF:
Before learning about bypassing the WAF, You must know how to detect a Webapplication firewall. There are numerous methods of detecting if the target website is using a Webapplication firewall.Prompt Message:
1. If you are attacking a website and you get an error like "Hacking attempt detected" or "Page not found", you are up against a WAF.
Cookies:
The most common method of detecting a webapplication firewall is by capturing the http:// request, Lots of WAF's add their own cookie in the HTTP communication.
Here is a live brazilian website using WAF, The cookie value "WAT" shows that the target host is using a WAF:
GET /news.asp?PageId=254 HTTP/1.1Host: www.poupex.com.brUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12)Accept: image/png,*/*;q=0.5Accept-Encoding: gzip,deflateKeep-Alive: 300Proxy-Connection: keep-aliveReferer: http://www.SomeSite.comCookie:ASPSESSIONCWKSPSVLTF=OUESYHFAPQLFMNBTKJHGQGXM;ns_af=xL9sPs2RIJMF5GhtbxSnol+xU0uSx;ns_af_.SomeSite.com_%2F_wat=KXMhOJ7DvSHNDkBAHDwMSNsFHMSFHEmSr?nmEkaen19mlrwBio1/lsrzV810C&
Dotdefender:
If you are up against a Dotdefender you will get the following error message:
Observing HTTP Response:
If you see a similar http response whenever you make a malicious http request, you are probably up against a MOD secuirty WAF.
HTTP/1.1 501 Method Not ImplementedDate: Fri, 27 Jun 2008 23:30:54 GMTAllow: TRACEContent-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1http://ws.
WEBAPPLICATION Firewall Evasion:
There are tons and tone of methods to evade a webapplication firewall, Here is some of them:
1. Comments.
2. Changing Cases.
3. Encoding.
And much more.
Example of a sample IDS and WAF Signature:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attempt detected, Your IP has been logged”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;
Bypassing The Signature:
Such poorly written signatures can be easily bypassed. Think for a second what if the attacker inputs ' OR 2=2, Isn't 2=2, How about OR 3=3 and
so on. So such poorly written signatures are good for nothing. You can
also add comments in order to bypass more complex signatures, e.g OR 2/**/=/**/2.
Comments:
Comments are one of the most easiest ways to defeat a WAF, As lots of
signatures are not looking for the comments they are just looking for
the malicious keywords.
Union statement against a WAF without comments:
www.site.com/a.php?id=123 union select 1,2,3,4,5-- BLOCKED
Union statement against a WAF with comments:
www.site.com/a.php?id=123 union/*We are bypassing the WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5-- ALLOWED
Changing Cases:
Some WAF's don't have any rule or signatures to detect upper cases, Here are some examples of a union statement with Uppercase.
uNiOn aLl sElEcT
UnIoN aLL SELECT
You can combine uppercase statements with comments for more better results:
www.site.com/a.php?id=123 uNiOn All sEleCt/*We are bypassing the WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5--
Well I hope you have liked this post, In this post we talked about
detecting a WAF and some basic techniques on evading a webapplication
firewall, However in the next post we will look at some more advanced
techniques such as encoding, whitespaces etc to bypass a webapplication
firewall.
Source:- www.rafayhackingarticles.net