Basic WAF Bypassing within SQLi
WARNING:
Hey all,
I have recently noticed quite a few newer users having trouble with challenges that involve WAF bypassing so here's a tutorial/reference for bypassing basic WAF's
What is a WAF?
WAF stands for Web Application Firewall. A WAF is put in place by the web applications administrator in an attempt to prevent attacks such as SQLi and XSS. They detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable to being easily bypassed by obfuscating your exploit code.
Methods of Bypass
There are many more ways of bypassing these than I can list here but this is a basic overview of three common and easy methods to try first.
1. Comments
Comments can allow you to execute code without the WAF bothering check it.
Example
Before:
After:
2. Capitalization of Functions
Because detections are signature based, randomly capitalizing functions can allow them to slip under the heuristic radar.
Example
Before:
After:
3. Exploiting Escapes
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.
Example
Before:
After:
Assuming the filter escapes the keywords "union" and "select", our code will be executed as normal.
Conclusion
I hope this tutorial will help those who want to bypass WAF's but are incapable of using Google. Enjoy!
WAF Enabled Practice Sites - Courtesy of kobez: http://www.hackforums.net/showthread.php?tid=1531462
Disclaimer: This is for education purposes only, I take no responsibility for anything done with this knowledge.
Spoiler (Click to Hide)
If you have any WAF Bypass knowledge, this tutorial is too simple for you, so don't spam my thread with stuff like: This is way too simple/easy/nooby. It's mostly for lazy skids. :P
Hey all,
I have recently noticed quite a few newer users having trouble with challenges that involve WAF bypassing so here's a tutorial/reference for bypassing basic WAF's
What is a WAF?
WAF stands for Web Application Firewall. A WAF is put in place by the web applications administrator in an attempt to prevent attacks such as SQLi and XSS. They detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable to being easily bypassed by obfuscating your exploit code.
Methods of Bypass
There are many more ways of bypassing these than I can list here but this is a basic overview of three common and easy methods to try first.
1. Comments
Comments can allow you to execute code without the WAF bothering check it.
Example
Before:
Code:
http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3--
After:
Code:
http://site.com/vuln.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3--
2. Capitalization of Functions
Because detections are signature based, randomly capitalizing functions can allow them to slip under the heuristic radar.
Example
Before:
Code:
http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3--
After:
Code:
http://site.com/vuln.php?id=-1 uNiOn SeLeCt 1,2,3--
3. Exploiting Escapes
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.
Example
Before:
Code:
http://site.com/vuln.php?id=-1 UNION SELECT 1,2,3--
After:
Code:
http://site.com/vuln.php?id=-1 UNIunionON SEselectLECT 1,2,3--
Assuming the filter escapes the keywords "union" and "select", our code will be executed as normal.
Conclusion
I hope this tutorial will help those who want to bypass WAF's but are incapable of using Google. Enjoy!
WAF Enabled Practice Sites - Courtesy of kobez: http://www.hackforums.net/showthread.php?tid=1531462
Disclaimer: This is for education purposes only, I take no responsibility for anything done with this knowledge.