Beyond SQLi Obfuscate And Bypass

Beyond SQLi: Obfuscate and Bypass

|=--------------------------------------------------------------------=|

|=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=|

|=-------------------------=[ 6 October 2011 ]=-----------------------=|

|=----------------------=[ By CWH Underground ]=--------------------=|

|=--------------------------------------------------------------------=|

######

Info

######

Title : Beyond SQLi: Obfuscate and Bypass

Author : "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan"

Team : CWH Underground [http://www.exploit-db.com/author/?a=1275]

Date : 2011-10-06

##########

Contents

##########

[0x00] - Introduction

[0x01] - Filter Evasion (Mysql)

[0x01a] - Bypass Functions and Keywords Filtering

[0x01b] - Bypass Regular Expression Filtering

[0x02] - Normally Bypassing Techniques

[0x03] - Advanced Bypassing Techniques

[0x03a] - HTTP Parameter Pollution: Split and Join

[0x03b] - HTTP Parameter Contamination

[0x04] - How to protect your website

[0x05] - Conclusion

[0x06] - References

[0x07] - Greetz To

#######################

[0x00] - Introduction

#######################

Welcome readers, this paper is a long attempt at documenting advanced SQL injection we have been working on.

This papers will disclose advanced bypassing and obfuscation techniques which many of them can be used in the real CMSs and WAFs. The proposed SQL injection statements in this paper are just some ways to bypass the protection.

There are still some other techniques can be used to attacks web applications but unfortunately we cannot tell you right now, as it is kept as a 0-day attack. However, this paper aims to show that there is no completely secure system

in the real world even though you spend more than 300,000 USD on a WAF.

This paper is divided into 7 sections but only from section 0x01 to 0x03 are about technical information.

Section 0x01, we give a details of how to bypass filter including basic, function and keyword.

Section 0x02, we offer normally bypassing techniques for bypass OpenSource and Commercial WAF.

Section 0x03, we talk in-depth Advanced bypassing techniques that separate into 2 section, "HTTP Parameter Contamination".

and "HTTP Pollution: Split and Join". Section 0x04, we guide to protect your own website on the right solution.

The last, section 0x05, It's conclusion from Section 0x01-0x04.

#################################

[0x01] - Filter Evasion (Mysql)

#################################

This section will describe filter evasion behaviors based on PHP and MySQL and how to bypass the filtering. Filter Evasion is a technique used to prevent SQL injection attacks. This technique can be done by using a SQL functions and keywords filtering or regular expressions.

This means that filter evasion relies heavily upon how storing a black list or regular expression is. If the black list or regular expression does not cover every injection scenario, the web application is still vulnerable to SQL Injection attacks.

+++++++++++++++++++++++++++++++++++++++++++++++++++

[0x01a] - Bypass Functions and Keywords Filtering

+++++++++++++++++++++++++++++++++++++++++++++++++++

Functions and keywords filtering prevents web applications from being attacked by using a functions and keywords black list. If an attackers submits an injection code containing a keyword or SQL function in the black list, the injection will be unsuccessful.

However, if the attacker is able to manipulate the injection by using another keyword or function, the black list will fail to prevent the attack. In order to prevent attacks, a number of keywords and functions has to be put into the black list. However, this affects users

when the users want to submit input with a word in the black list. They will be unable to submit the input because it is being filtered by the black list. The following scenarios show cases of using functions and keywords filtering and bypassing techniques.

Keyword filer: and, or

----------------------------------------------------------------------

PHP filter code: preg_match('/(and|or)/i', $id)

THe keywords and, or are usually used as a simple test to determine whether a web application is vulnerable to SQL Injection attacks. Here is a simple bypass using &&, || instead of and, or respectively.

Filtered injection: 1 or 1 = 1 1 and 1 = 1

Bypassed injection: 1 || 1 = 1 1 && 1 = 1

----------------------------------------------------------------------

...