SQL Injection Filter Evasion Part 1

In this tutorial I will explain you some of the basics of SQL Injection filter Evasion, This is the first part of the two of the articles I will post on SQL Injection filter evasion and bypassing,  In this post I am not gonna teach you Basics of SQL injection, I will assume that you already know them, because cmon every one talks about it, you will find tons and tons of posts on forums related to basics of SQL Injection, In this post I will talk about common methods of used by hackers and pentesters for evading IDS, IPS, WAF's such as Modsecurity, dotdefender etc.




WebApplication Firewalls:



According to webappsec "Web Application Firewall (WAF): An intermediary device, sitting between a web-clientand a web server, analyzing OSI Layer-7 messages for violations in the programmedsecurity policy. A web application firewall is used as a security device protecting theweb server from attack."

Almost all Webapplication firewalls and IDS use Signature based protection, where they are looking of common inputs such as "'Or 1=1", "Or x=x" etc. But in my opinion webapplication firewalls are only good for detecting automated tools and script kiddies. However if the tool you are using for attacking a SQL Injection vulnerable database is an open source such as SQLMAP, You can easily modify it to evade a webapplication firewall.

Detecting A WAF:

Before learning about bypassing the WAF, You must know how to detect a Webapplication firewall. There are numerous methods of detecting if the target website is using a Webapplication firewall.

Prompt Message:

1. If you are attacking a website and you get an error like "Hacking attempt detected" or "Page not found", you are up against a WAF.

Cookies:

The most common method of detecting a webapplication firewall is by capturing the http:// request, Lots of WAF's add their own cookie in the HTTP communication.

Here is a live brazilian website using WAF, The cookie value "WAT" shows that the target host is using a WAF:

GET /news.asp?PageId=254 HTTP/1.1Host: www.poupex.com.brUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12)Accept: image/png,*/*;q=0.5Accept-Encoding: gzip,deflateKeep-Alive: 300Proxy-Connection: keep-aliveReferer: http://www.SomeSite.comCookie:ASPSESSIONCWKSPSVLTF=OUESYHFAPQLFMNBTKJHGQGXM;ns_af=xL9sPs2RIJMF5GhtbxSnol+xU0uSx;ns_af_.SomeSite.com_%2F_wat=KXMhOJ7DvSHNDkBAHDwMSNsFHMSFHEmSr?nmEkaen19mlrwBio1/lsrzV810C&

Dotdefender:

If you are up against a Dotdefender you will get the following error message:


Observing HTTP Response:

If you see a similar http response whenever you make a malicious http request, you are probably up against a MOD secuirty WAF.


HTTP/1.1 501 Method Not ImplementedDate: Fri, 27 Jun 2008 23:30:54 GMTAllow: TRACEContent-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1http://ws.


WEBAPPLICATION Firewall Evasion:



There are tons and tone of methods to evade a webapplication firewall, Here is some of them:

1. Comments.
2. Changing Cases.
3. Encoding.

And much more.

Example of a sample IDS and WAF Signature:

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attempt detected, Your IP has been logged”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;


The above signature is telling WAF that if the attackers inputs the following content into the webpage "' OR 1=1" display the message "SQL Injection attempt detected, Your IP has been logged".


Bypassing The Signature:


Such poorly written signatures can be easily bypassed.  Think for a second what if the attacker inputs ' OR 2=2, Isn't 2=2, How about OR 3=3 and so on. So such poorly written signatures are good for nothing.  You can also add comments in order to bypass more complex signatures, e.g OR 2/**/=/**/2.

Comments:

Comments are one of the most easiest ways to defeat a WAF, As lots of signatures are not looking for the comments they are just looking for the malicious keywords.

Union statement against a WAF without comments:

www.site.com/a.php?id=123 union select 1,2,3,4,5-- BLOCKED

Union statement against a WAF with comments:

www.site.com/a.php?id=123 union/*We are bypassing the WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5-- ALLOWED


Changing Cases:

Some WAF's don't have any rule or signatures to detect upper cases, Here are some examples of a union statement with Uppercase.

uNiOn aLl sElEcT 
UnIoN aLL SELECT

You can combine uppercase statements with comments for more better results:
www.site.com/a.php?id=123 uNiOn All sEleCt/*We are bypassing the WAF*/select/*Rafay Hacking Artcles*/1,2,3,4,5--

Well I hope you have liked this post, In this post we talked about detecting a WAF and some basic techniques on evading a webapplication firewall, However in the next post we will look at some more advanced techniques such as encoding, whitespaces etc to bypass a webapplication firewall.