A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.
MySQL servers allow one to use comments of the following type:
/*!sql-code*/ and /*!12345sql-code*/
As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.
As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).
Here is a simple example:
$query = "SELECT name FROM table where id = ".$_GET[id];
$result = mysql_query($query);
If a web application is protected with Mod_Security, then the following request will be forbidden:
It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):
But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:
Well, one more method to our arsenal :-)